THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — June 06, 2025

343 CVEs tracked today. 11 Critical, 95 High, 209 Medium, 28 Low.

CVE-2025-49073 CRITICAL CVSS 9.8
Critical deserialization of untrusted data vulnerability in Axiomthemes Sweet Dessert that enables object injection attacks. The vulnerability affects Sweet Dessert versions before 1.1.13 and allows remote attackers to inject malicious serialized objects without authentication, potentially achieving remote code execution with complete system compromise. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction or privileges, this represents a critical internet-exposed risk.

Deserialization
CVE-2025-49072 CRITICAL CVSS 9.8
Critical deserialization vulnerability in AncoraThemes Mr. Murphy WordPress theme that allows unauthenticated remote attackers to inject arbitrary objects and achieve complete system compromise (confidentiality, integrity, and availability impact). All versions before 1.2.12.1 are vulnerable. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this vulnerability presents an immediate, high-priority threat to affected WordPress installations.

Deserialization
CVE-2025-48782 CRITICAL CVSS 9.8
Critical remote code execution vulnerability in Soar Cloud HRD Human Resource Management System versions up to 7.3.2025.0408, stemming from unrestricted file uploads that bypass type validation. An unauthenticated remote attacker can upload a malicious file (e.g., executable, script) and execute arbitrary system commands with no user interaction required, achieving complete system compromise. With a CVSS score of 9.8 (critical) and an unauthenticated attack vector, this poses immediate and severe risk to all unpatched deployments.

File Upload Hr Portal
CVE-2025-48780 CRITICAL CVSS 9.8
Critical remote code execution vulnerability in Soar Cloud HRD Human Resource Management System (versions through 7.3.2025.0408) caused by unsafe deserialization of untrusted data in the download file function. An unauthenticated remote attacker can exploit this to execute arbitrary system commands with no user interaction required, achieving complete compromise of confidentiality, integrity, and availability. The CVSS 9.8 severity and network-accessible attack vector indicate this is a high-priority threat requiring immediate patching.

Deserialization Hr Portal
CVE-2025-47586 CRITICAL CVSS 9.0
PHP Local File Inclusion (LFI) vulnerability in StylemixThemes Motors - Events plugin affecting versions up to 1.4.7, allowing unauthenticated remote attackers to include and execute arbitrary PHP files under certain conditions. With a CVSS score of 9.0 and network accessibility, this vulnerability enables complete system compromise through code execution. Active exploitation status and proof-of-concept availability should be verified through KEV database and security research databases.

PHP Information Disclosure LFI
CVE-2025-41646 CRITICAL CVSS 9.8
Critical remote authentication bypass vulnerability affecting an unspecified software package, exploitable through improper type conversion handling (CWE-704). An unauthenticated network attacker can bypass authentication controls without user interaction to achieve complete device compromise including confidentiality, integrity, and availability violations. The vulnerability carries a maximum CVSS 3.1 score of 9.8 with network accessibility and low attack complexity, indicating high real-world exploitability risk; without access to KEV/EPSS data or POC confirmation, exploitation likelihood cannot be definitively assessed but the attack vector and complexity profile suggests active exploitation potential.

Authentication Bypass Revpi Status
CVE-2025-27531 CRITICAL CVSS 9.8
Critical deserialization of untrusted data vulnerability in Apache InLong versions 1.13.0 through 2.0.x that allows authenticated attackers to read arbitrary files through parameter manipulation ('double writing' the param). With a CVSS 9.8 score and network-based attack vector requiring no user interaction, this represents a high-severity information disclosure risk affecting data ingestion pipeline deployments.

Apache Java Information Disclosure Deserialization Inlong
CVE-2025-5486 CRITICAL CVSS 9.8
The WP Email Debug WordPress plugin (versions 1.0-1.1.0) contains a critical privilege escalation vulnerability (CVE-2025-5486) stemming from missing capability checks in the WPMDBUG_handle_settings() function. Unauthenticated attackers can exploit this to modify plugin settings, redirect administrator emails to attacker-controlled addresses, and trigger password resets to gain full administrative access to affected WordPress installations. The CVSS 9.8 score reflects network-based exploitation with zero complexity and no authentication required, representing a critical severity threat with high real-world exploitation potential.

PHP WordPress Privilege Escalation
CVE-2025-3365 CRITICAL CVSS 9.8
Critical path traversal vulnerability (CWE-23) that allows unauthenticated remote attackers to read, write, or delete arbitrary files on affected servers with a CVSS score of 9.8. The vulnerability requires no user interaction, has low attack complexity, and grants complete confidentiality, integrity, and availability impact. Without access to KEV status, EPSS scores, POC details, or specific CPE identifiers from the provided data, this appears to be a severe vulnerability affecting multiple server-side products; confirmation of active exploitation status and patch availability requires cross-referencing official vendor security advisories.

Information Disclosure Path Traversal
CVE-2025-3322 CRITICAL CVSS 10.0
Critical remote code execution vulnerability in expression language processors that allows unauthenticated attackers to execute arbitrary code with maximum server privileges through improper input neutralization. This is a perfect-score CVSS 10.0 vulnerability affecting expression language engines across multiple frameworks; exploitation requires no authentication, user interaction, or special configuration, making it an immediate priority for any organization using affected technologies.

RCE Code Injection
CVE-2025-3321 CRITICAL CVSS 9.4
Hardcoded administrative account vulnerability in an undocumented system component that cannot be deactivated, allowing local users to gain complete system compromise with high confidentiality, integrity, and availability impact. While the vulnerability carries a critical CVSS 9.4 score, the attack vector is restricted to local access only, significantly reducing real-world network-based exploitation risk. The vulnerability's severity stems from CWE-798 (Use of Hard-Coded Credentials), a foundational authentication bypass mechanism that enables privilege escalation and persistent administrative access.

Authentication Bypass Privilege Escalation
CVE-2025-49453 HIGH CVSS 7.1
CSRF vulnerability in Jatinder Pal Singh BP Profile as Homepage plugin (versions through 1.1) that enables Stored XSS attacks. An unauthenticated attacker can exploit this via a malicious web request to inject persistent JavaScript into the application, affecting all users who view the compromised profile. The vulnerability requires user interaction (CVSS UI:R) but has cross-site scope impact (S:C), resulting in a 7.1 medium-high severity rating; KEV status and active exploitation data are not currently available in public disclosures.

XSS CSRF
CVE-2025-49425 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in Adrian Hanft's Konami Easter Egg browser extension (versions through v0.4) that can lead to Stored Cross-Site Scripting (XSS) attacks. An attacker can craft a malicious request to inject persistent JavaScript code that executes in the context of affected users' browsers, potentially compromising user sessions, stealing credentials, or performing unauthorized actions. With a CVSS score of 7.1 and network-accessible attack vector requiring only user interaction, this vulnerability poses a moderate-to-significant risk to users of the extension, though real-world exploitation likelihood depends on whether public exploits exist and the extension's actual user base.

XSS CSRF
CVE-2025-49421 HIGH CVSS 7.6
SQL injection vulnerability in Andrei Filonov's WP Text Expander WordPress plugin (versions through 1.0.1) that allows authenticated attackers with high-privilege administrative roles to execute arbitrary SQL queries. The vulnerability has a CVSS score of 7.6 (high severity) due to its ability to achieve confidentiality compromise and limited availability impact, though it requires administrative credentials to exploit. No current KEV (Known Exploited Vulnerability) status or public proof-of-concept is indicated in the provided data, suggesting limited real-world active exploitation at present.

SQLi
CVE-2025-49328 HIGH CVSS 7.6
SQL injection vulnerability in Agile Logix Store Locator WordPress plugin (versions up to 1.5.1) that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability has a CVSS score of 7.6 with high confidentiality impact and limited availability impact, though it requires administrative-level privileges to exploit. The scope is changed, indicating potential impact beyond the vulnerable component itself.

WordPress SQLi
CVE-2025-49327 HIGH CVSS 7.6
SQL injection vulnerability in Ruben Garcia ShortLinks Pro versions up to 1.0.7 that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability has a CVSS score of 7.6 (High) and affects the ShortLinks Pro WordPress plugin; while the attack requires elevated privileges, successful exploitation could lead to unauthorized data access and limited system availability impacts. No active exploitation in the wild or public POC has been widely reported at this time, though the SQL injection class (CWE-89) remains a critical attack vector.

SQLi
CVE-2025-49326 HIGH CVSS 7.6
SQL Injection vulnerability in GamiPress (a WordPress gamification plugin) affecting versions through 7.4.5. An authenticated attacker with high privileges can execute arbitrary SQL commands to read sensitive database information, potentially compromising data confidentiality and availability. While the CVSS score is 7.6 (high), the attack requires high privileges and there is no public indication of active exploitation in the wild.

SQLi
CVE-2025-49323 HIGH CVSS 8.5
SQL injection vulnerability in Themefic Hydra Booking plugin versions through 1.1.10 that allows authenticated attackers to execute arbitrary SQL queries. An attacker with user-level privileges can manipulate SQL commands to extract sensitive database information, bypass authentication, or modify data without user interaction. This vulnerability has a CVSS score of 8.5 (High) and represents a significant risk to WordPress installations using affected versions of the plugin.

SQLi
CVE-2025-49315 HIGH CVSS 7.6
CVE-2025-49315 is an SQL injection vulnerability in PersianScript's Persian Woocommerce SMS plugin affecting versions up to 7.0.10. An authenticated attacker with high privileges (administrator or above) can inject arbitrary SQL commands to read sensitive database information and cause denial of service. While the CVSS score is 7.6 (high), the requirement for elevated privileges (PR:H) and lack of integrity impact limit real-world exploitability, though the cross-site scope elevation and confirmed existence of this vulnerability class in WordPress plugins warrant immediate patching.

WordPress SQLi
CVE-2025-49313 HIGH CVSS 7.5
PHP Local File Inclusion (LFI) vulnerability in ovatheme BRW versions up to 1.8.6, stemming from improper control of filename parameters in include/require statements. An authenticated attacker with low privileges can exploit this to read arbitrary files from the server filesystem, potentially gaining access to sensitive configuration files, source code, or credentials. The vulnerability requires network access and authenticated user status (CWE-98 improper input validation on file paths), with a CVSS score of 7.5 indicating high confidentiality and integrity impact.

PHP Information Disclosure LFI
CVE-2025-49308 HIGH CVSS 7.5
PHP Local File Inclusion (LFI) vulnerability in WP Travel Engine affecting versions through 6.5.1. An authenticated attacker with low privileges can exploit improper filename control in PHP include/require statements to read arbitrary files from the server, potentially obtaining sensitive configuration data, credentials, or source code. While the CVSS score is moderate (7.5), the vulnerability requires authentication and higher attack complexity, but successful exploitation could lead to complete information disclosure and potential privilege escalation.

PHP Information Disclosure LFI
CVE-2025-49307 HIGH CVSS 7.5
PHP Local File Inclusion (LFI) vulnerability in Magazine3's WP Multilang plugin versions up to 2.4.19, stemming from improper control of filenames in PHP include/require statements. An authenticated attacker with low privileges can exploit this vulnerability to read arbitrary local files on the affected WordPress server, potentially leading to information disclosure, code execution, or system compromise. The CVSS score of 7.5 reflects high confidentiality and integrity impact, though exploitation requires valid credentials and non-standard conditions (AC:H).

PHP Information Disclosure LFI
CVE-2025-49288 HIGH CVSS 8.8
Missing Authorization vulnerability in Rustaurius Ultimate WP Mail allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate WP Mail: from n/a through 1.3.5.

Authentication Bypass
CVE-2025-49263 HIGH CVSS 7.6
Blind SQL injection vulnerability in WC Vendors Marketplace plugin versions through 2.5.6 that allows authenticated attackers with high privileges (administrator or vendor) to extract sensitive database information without direct output visibility. The vulnerability has a CVSS score of 7.6 with high confidentiality impact, though integrity is not compromised and availability impact is low. No publicly available exploit code or active exploitation has been confirmed at this time, but the attack requires only network access and high privilege authentication.

SQLi
CVE-2025-49262 HIGH CVSS 7.6
Stored Cross-Site Scripting (XSS) vulnerability in the Sina Extension for Elementor WordPress plugin (versions up to 3.6.1) that allows authenticated attackers with high privileges to inject malicious scripts into web pages. When victims view the affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or defacement. While the CVSS score of 7.6 indicates moderate-to-high severity, the requirement for high-privilege authentication (PR:H) significantly limits exploitation scope compared to unauthenticated XSS vulnerabilities.

XSS
CVE-2025-49237 HIGH CVSS 7.4
Cross-Site Request Forgery (CSRF) vulnerability in POEditor that enables path traversal attacks, affecting versions 0.9.10 and earlier. An attacker can exploit this via a crafted request to perform unauthorized actions on behalf of an authenticated user, potentially leading to high availability impact. While the CVSS score of 7.4 indicates a significant threat, the requirement for user interaction (UI:R) and network-based attack vector limits real-world exploitability; current KEV and EPSS data are needed to determine if active exploitation is occurring.

Path Traversal CSRF
CVE-2025-49127 HIGH CVSS 8.9
Kafbat UI version 1.0.0 contains an unsafe deserialization vulnerability (CWE-502) that allows unauthenticated remote attackers to execute arbitrary code on affected servers with no user interaction required. This is a critical pre-authentication RCE affecting Kafka cluster management infrastructure. The vulnerability has a CVSS score of 8.9 with high impact across confidentiality, integrity, and availability; patch is available in version 1.1.0.

RCE Apache Deserialization
CVE-2025-48911 HIGH CVSS 8.2
CVE-2025-48911 is an improper permission assignment vulnerability in a note sharing module that allows local attackers with user interaction to compromise system availability and potentially access sensitive information. The vulnerability has a CVSS score of 8.2 (High) with a broad scope impact, though specific affected products, patch status, and exploitation telemetry are not provided in the available intelligence sources. Without KEV confirmation or EPSS data, the real-world exploitation risk cannot be definitively assessed, but the local attack vector and user interaction requirement suggest this is less critical than remote, unauthenticated vulnerabilities.

Privilege Escalation Information Disclosure Harmonyos
CVE-2025-48909 HIGH CVSS 7.1
Bypass vulnerability in device management channels that allows unauthenticated attackers on adjacent networks to compromise service confidentiality and cause minor availability impact. The vulnerability affects device management implementations across multiple vendors (specific products require vendor advisories to identify). While no active exploitation in the wild has been confirmed in public KEV databases at time of analysis, the 7.1 CVSS score and high confidentiality impact warrant immediate attention for organizations managing devices on trusted networks.

Authentication Bypass Information Disclosure Harmonyos
CVE-2025-48906 HIGH CVSS 8.8
CVE-2025-48906 is an authentication bypass vulnerability in the DSoftBus module that allows unauthenticated attackers on the local network to completely compromise system confidentiality, integrity, and availability without user interaction. The vulnerability affects DSoftBus implementations across multiple platforms with a CVSS score of 8.8, indicating critical severity with high exploitability potential on adjacent networks.

Authentication Bypass Denial Of Service Harmonyos
CVE-2025-48905 HIGH CVSS 8.1
WebAssembly exception handling vulnerability in the arkweb v8 module that prevents proper capture of specific Wasm exception types, potentially allowing attackers to bypass security controls or trigger unexpected application behavior. The vulnerability affects arkweb's V8 integration layer and requires network access but high attack complexity to exploit. While the CVSS score of 8.1 indicates high severity with potential impacts to confidentiality, integrity, and availability, real-world exploitability depends on whether active exploitation or proof-of-concept code exists.

Information Disclosure Harmonyos
CVE-2025-48903 HIGH CVSS 7.8
Permission bypass vulnerability in the media library module that allows unauthenticated local attackers to escalate privileges and gain unauthorized access to sensitive functionality. The vulnerability has a CVSS score of 7.8 (High) and impacts confidentiality, integrity, and availability. While the description indicates only availability impact, the CVSS vector reveals high C/I/A ratings, suggesting attackers can read, modify, or delete protected media assets and potentially disrupt service availability.

Privilege Escalation Harmonyos
CVE-2025-48784 HIGH CVSS 7.5
Missing authorization vulnerability in Soar Cloud HRD Human Resource Management System versions up to 7.3.2025.0408 that allows unauthenticated remote attackers to modify critical system settings without any credentials or user interaction. This is a high-severity integrity violation (CVSS 7.5) affecting HR management infrastructure; attackers can alter configurations that may impact payroll, employee records, access controls, and compliance functions. No exploitation complexity is required (AC:L, PR:N), making this vulnerability immediately exploitable in real-world environments.

Information Disclosure Hr Portal
CVE-2025-48783 HIGH CVSS 7.5
CVE-2025-48783 is an external control of file name or path vulnerability (CWE-73) in the delete file function of Soar Cloud HRD Human Resource Management System versions up to 7.3.2025.0408, allowing unauthenticated remote attackers to delete arbitrary files by manipulating file path parameters. The vulnerability has a CVSS score of 7.5 with high integrity impact, enabling attackers to perform unauthorized file deletion without authentication. Exploitation requires only network access and no user interaction, making this a significant threat to organizations using affected HRD system versions.

Information Disclosure Hr Portal
CVE-2025-48781 HIGH CVSS 7.5
A remote code execution vulnerability in the download file function of Soar Cloud HRD Human Resource Management System (CVSS 7.5) that allows remote attackers. High severity vulnerability requiring prompt remediation.

Information Disclosure Hr Portal
CVE-2025-48329 HIGH CVSS 7.1
A reflected cross-site scripting (XSS) vulnerability exists in Daman Jeet's Real Time Validation for Gravity Forms plugin affecting versions through 1.7.0, allowing unauthenticated attackers to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (clicking a malicious link) but can compromise user sessions, steal credentials, or deface form content due to its cross-site impact scope. While the CVSS score of 7.1 indicates moderate-to-high severity, real-world exploitation depends on form visibility and user interaction patterns.

XSS
CVE-2025-47950 HIGH CVSS 7.5
A denial of service vulnerability in versions (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Denial Of Service Red Hat Coredns Suse
CVE-2025-47584 HIGH CVSS 8.5
A deserialization vulnerability in ThemeGoods Photography (CVSS 8.5). High severity vulnerability requiring prompt remediation.

Deserialization Photography
CVE-2025-41361 HIGH CVSS 8.3
A remote code execution vulnerability in IDF (CVSS 8.3). High severity vulnerability requiring prompt remediation.

Denial Of Service TLS IoT
CVE-2025-41360 HIGH CVSS 8.7
CVE-2025-41360 is an uncontrolled resource consumption vulnerability affecting IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04 that enables remote denial of service through packet flooding attacks. The vulnerability allows unauthenticated network attackers to exhaust device resources with minimal complexity, resulting in service unavailability. The high CVSS score of 8.7 reflects the critical availability impact, though exploitation requires network access and no privilege escalation is possible.

Denial Of Service
CVE-2025-39358 HIGH CVSS 8.8
A deserialization vulnerability in Teastudio (CVSS 8.8). High severity vulnerability requiring prompt remediation.

Deserialization
CVE-2025-38000 HIGH CVSS 7.8
Use-after-free vulnerability in the Linux kernel's HFSC (Hierarchical Fair Service Curve) queue discipline scheduler that occurs when enqueuing packets triggers a peek operation on child qdiscs before queue accounting is updated. Local attackers with unprivileged user privileges can exploit this to cause denial of service or potentially execute code with kernel privileges. The vulnerability affects Linux kernel versions with the vulnerable HFSC implementation and has a CVSS score of 7.8 (high severity) with local attack vector requirements.

Denial Of Service Linux Use After Free Red Hat Debian Linux
CVE-2025-33031 HIGH CVSS 8.8
CVE-2025-33031 is an improper certificate validation vulnerability in Synology File Station 5 that allows authenticated remote attackers to compromise system confidentiality, integrity, and availability. An attacker with valid user credentials can exploit insufficient SSL/TLS certificate validation to perform man-in-the-middle attacks or bypass security controls. The vulnerability has a high CVSS score of 8.8 and affects all versions of File Station 5 prior to 5.5.6.4847; patches are available from Synology.

Information Disclosure File Station
CVE-2025-30999 HIGH CVSS 7.5
PHP Local File Inclusion (LFI) vulnerability in the WP Shopify plugin (versions up to 1.5.3) that allows authenticated attackers to include and execute arbitrary local files on the web server through improper control of filename parameters in PHP include/require statements. The vulnerability requires low-privilege user access (PR:L) and has moderate attack complexity (AC:H), but results in complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H), making it a significant risk for WordPress sites using this plugin.

PHP Information Disclosure LFI
CVE-2025-30995 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Widgetize Pages Light plugin (versions up to 3.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to trick authenticated users into performing unintended actions, resulting in persistent XSS payload injection that affects all subsequent visitors. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating moderate real-world exploitability without requiring elevated privileges.

XSS CSRF
CVE-2025-30989 HIGH CVSS 7.6
A SQL Injection vulnerability (CWE-89) exists in Renzo Tejada's 'Libro de Reclamaciones y Quejas' application versions up to 0.9, allowing authenticated attackers with high privileges to execute arbitrary SQL commands. While the CVSS score is 7.6 (High), the attack requires prior authentication and high-level privileges (PR:H), significantly reducing real-world exploitability. The vulnerability impacts confidentiality (data exfiltration) and limited availability, though integrity is not affected. Without confirmed KEV status, active exploitation data, or public proof-of-concept, this represents a medium-priority issue requiring patching but not immediate emergency response.

SQLi
CVE-2025-30279 HIGH CVSS 8.8
CVE-2025-30279 is an improper certificate validation vulnerability in QNAP File Station 5 that allows authenticated remote attackers to compromise system confidentiality, integrity, and availability. Affected versions are below 5.5.6.4847; the vulnerability requires valid user credentials but no user interaction, making it a significant post-authentication attack vector with a CVSS score of 8.8 indicating high severity.

Authentication Bypass Qnap File Station
CVE-2025-29892 HIGH CVSS 8.8
SQL injection vulnerability in Qsync Central that allows authenticated remote attackers to execute arbitrary code or commands with high impact on confidentiality, integrity, and availability. The vulnerability affects all versions prior to Qsync Central 4.5.0.6 (released 2025/03/20), and while no active KEV or public PoC is explicitly referenced in the provided data, the high CVSS score of 8.8 combined with low attack complexity and low privilege requirements indicates this is a serious, readily exploitable vulnerability that should be prioritized for patching.

RCE SQLi Qnap Qsync Central
CVE-2025-29885 HIGH CVSS 8.8
CVE-2025-29885 is an improper certificate validation vulnerability in Synology File Station 5 that allows authenticated remote attackers to compromise system confidentiality, integrity, and availability. The vulnerability affects File Station 5 versions prior to 5.5.6.4791 and requires valid user credentials to exploit. With a CVSS score of 8.8 and a low attack complexity, this represents a significant risk to organizations running vulnerable versions, though exploitation requires prior authentication.

Authentication Bypass Synology File Station
CVE-2025-29884 HIGH CVSS 8.8
CVE-2025-29884 is an improper certificate validation vulnerability affecting Synology File Station 5 that allows authenticated remote attackers to compromise system confidentiality, integrity, and availability. The vulnerability requires user-level access but enables complete system compromise with high impact across all security dimensions. No active KEV or public POC data is currently available, but the CVSS 8.8 score and low attack complexity indicate this should be prioritized for patching.

Authentication Bypass Synology File Station
CVE-2025-29883 HIGH CVSS 8.8
CVE-2025-29883 is an improper certificate validation vulnerability affecting Synology File Station 5 that allows authenticated remote attackers to compromise system security through man-in-the-middle attacks or credential harvesting. The vulnerability requires valid user credentials (PR:L) but can result in complete system compromise with high impact to confidentiality, integrity, and availability (CVSS 8.8). Patched versions are available for File Station 5 5.5.6.4791 and later.

Authentication Bypass Qnap File Station
CVE-2025-29877 HIGH CVSS 7.5
NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by causing the application to crash. While the CVSS 7.5 score reflects the severity of availability impact, the vulnerability requires valid user credentials to exploit, making it primarily a risk for organizations with compromised or malicious insider accounts. The vendor has released patches in version 5.5.6.4847 and later.

Denial Of Service Null Pointer Dereference Qnap File Station
CVE-2025-29876 HIGH CVSS 7.5
NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. While the CVSS score of 7.5 is elevated, the requirement for a valid user account (PR:N is misleading in vector; effective privilege requirement exists) and lack of data confidentiality/integrity impact limit real-world severity. The vulnerability affects File Station 5 versions prior to 5.5.6.4847, and the vendor has released patched versions.

Denial Of Service Null Pointer Dereference Qnap File Station
CVE-2025-29873 HIGH CVSS 7.5
NULL pointer dereference vulnerability affecting QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and high availability impact, though it requires valid user credentials to exploit. QNAP has released patched versions (5.5.6.4847 and later) to remediate this issue.

Denial Of Service Null Pointer Dereference Qnap File Station
CVE-2025-29872 HIGH CVSS 7.5
Denial-of-service vulnerability in QNAP File Station 5 that allows an authenticated attacker to exhaust system resources without limits or throttling, preventing legitimate users and processes from accessing the affected service. The vulnerability affects File Station 5 versions prior to 5.5.6.4847 and is remotely exploitable with no user interaction required once account access is obtained. With a CVSS score of 7.5 (High) and network-based attack vector, this represents a significant availability risk for organizations relying on File Station for network file access.

Denial Of Service Synology File Station
CVE-2025-28986 HIGH CVSS 8.2
A Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin versions up to 1.5 allows unauthenticated attackers to perform unauthorized actions via crafted requests. While the CVE description anomalously mentions SQL Injection alongside CSRF, the CVSS vector (CWE-352: CSRF) and vector string indicate the primary threat is CSRF with consequential impacts on confidentiality (High) and availability (Low). The vulnerability requires user interaction (UI:R) and affects confidentiality significantly, making it a material risk for WordPress installations using this plugin, particularly if no active mitigation or patch is available.

SQLi CSRF
CVE-2025-28981 HIGH CVSS 7.1
A cross-site scripting vulnerability in Soli WP Mail Options allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.

XSS CSRF
CVE-2025-28974 HIGH CVSS 7.1
CSRF vulnerability in mail250 Free WP Mail SMTP (versions up to 1.0) that enables stored XSS attacks, allowing unauthenticated remote attackers to inject malicious scripts via crafted requests. The vulnerability requires user interaction (UI:R) but has network-based attack vector (AV:N) with low complexity (AC:L), affecting WordPress installations using this email plugin. While CVSS 7.1 indicates medium-high severity with confidentiality, integrity, and availability impact, real-world exploitation depends on KEV status, EPSS probability, and public POC availability-data not provided in the source material.

XSS CSRF
CVE-2025-28966 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in the dilemma123 Recent Posts Slider Responsive WordPress plugin (versions through 1.0.1) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads, which execute in the browsers of site administrators and visitors, potentially leading to account compromise, malware distribution, or defacement. The vulnerability requires user interaction (UI:R) but has network-accessible attack surface (AV:N) with moderate CVSS score of 7.1 and should be prioritized for patched WordPress installations running vulnerable plugin versions.

XSS CSRF
CVE-2025-28964 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in mangup Personal Favicon (versions up to 2.0) that enables Stored XSS attacks. An unauthenticated attacker can craft a malicious request that, when visited by a user, executes arbitrary JavaScript in the victim's browser context with access to sensitive data and session tokens. While no public exploit or KEV status confirmation is available from the provided data, the CVSS 7.1 score and Stored XSS payload persistence indicate moderate-to-high real-world risk, particularly if the plugin has significant user adoption.

XSS CSRF
CVE-2025-28958 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov's Bg Orthodox Calendar plugin that enables Stored Cross-Site Scripting (XSS) attacks. The vulnerability affects all versions from an unspecified baseline through 0.13.10, allowing unauthenticated attackers over the network to inject and store malicious scripts that execute in users' browsers with moderate impact to confidentiality, integrity, and availability. The CVSS 7.1 score reflects the combination of network attack vector with user interaction requirement; real-world exploitation risk depends on whether this vulnerability is actively exploited or has public proof-of-concept code available.

XSS CSRF
CVE-2025-28954 HIGH CVSS 7.4
Cross-Site Request Forgery (CSRF) vulnerability in the wphobby Backwp WordPress plugin (versions through 2.0.2) that enables path traversal attacks. An unauthenticated remote attacker can exploit this via a crafted web request to perform unauthorized actions and potentially access sensitive files outside intended directories. While the CVSS score of 7.4 indicates high severity with availability impact, the vulnerability requires user interaction (UI:R) and affects availability rather than confidentiality or integrity, suggesting moderate real-world exploitability.

Path Traversal CSRF
CVE-2025-28950 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in David Shabtai's Post Author WordPress plugin (versions through 1.1.1) that enables Stored Cross-Site Scripting (XSS) attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads that execute in the browsers of all users viewing affected content, potentially leading to account compromise, data theft, or malware distribution. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating practical exploitability without authentication.

XSS CSRF
CVE-2025-28948 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in the codedraft Mediabay WordPress plugin (versions up to 1.4) that enables reflected XSS attacks. Attackers can exploit this network-accessible vulnerability without authentication to perform unauthorized actions on behalf of authenticated users and inject malicious scripts, affecting WordPress installations using this media library plugin. The CVSS 7.1 score and absence of KEV/active exploitation data suggest moderate real-world risk with UI interaction required.

WordPress XSS CSRF
CVE-2025-26590 HIGH CVSS 7.6
SQL Injection vulnerability in Nir Complete Google SEO Scan plugin (versions up to 3.5.1) that allows authenticated attackers with high privileges to execute arbitrary SQL commands against the database. While the CVSS score is 7.6 (high), the attack requires administrative credentials and does not enable data modification, limiting real-world impact to information disclosure and service degradation. No active exploitation in the wild has been confirmed at this time.

SQLi Google
CVE-2025-22490 HIGH CVSS 7.5
NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. The vulnerability affects File Station 5 versions prior to 5.5.6.4847, and while it requires valid user credentials (PR:N indicates no privileges required once authenticated), it has a CVSS score of 7.5 reflecting high availability impact. No indication of active exploitation in the wild or public POC is evident from the provided data.

Denial Of Service Null Pointer Dereference Qnap File Station
CVE-2025-22486 HIGH CVSS 8.8
CVE-2025-22486 is an improper certificate validation vulnerability in Synology File Station 5 that allows authenticated remote attackers to compromise system confidentiality, integrity, and availability. The vulnerability affects File Station 5 versions prior to 5.5.6.4791, and while it requires valid user credentials (PR:L in CVSS), the lack of user interaction requirement (UI:N) and network accessibility (AV:N) make it a high-severity threat in multi-user environments. No confirmed KEV or active exploitation data is available at this time, but the high CVSS score of 8.8 and the nature of certificate validation bypass attacks warrant immediate patching.

Information Disclosure File Station
CVE-2025-22484 HIGH CVSS 7.1
CVE-2025-22484 is an unthrottled resource allocation vulnerability in Qnap File Station 5 that allows authenticated remote attackers to exhaust system resources and cause denial of service. An attacker with valid user credentials can exploit this CWE-770 weakness to prevent legitimate users and processes from accessing shared resources, affecting availability. The vulnerability has a moderate-to-high CVSS 7.1 score driven by network accessibility and high availability impact, though it requires prior authentication; the fix is available in File Station 5 version 5.5.6.4847 and later.

Denial Of Service Qnap
CVE-2025-22482 HIGH CVSS 8.1
Format string vulnerability in QNAP Qsync Central that allows authenticated remote attackers to read sensitive data or modify memory without user interaction. The vulnerability affects all versions prior to Qsync Central 4.5.0.6 (released March 20, 2025), with a CVSS score of 8.1 indicating high severity. While no public exploit or KEV status is currently documented, the low attack complexity and requirement for only low-privilege user access make this a significant risk for organizations running vulnerable versions.

Information Disclosure Qnap Code Injection Qsync Central
CVE-2025-22481 HIGH CVSS 8.8
Command injection vulnerability affecting QNAP NAS operating systems (QTS and QuTS hero) that allows authenticated remote attackers to execute arbitrary commands with high severity (CVSS 8.8). The vulnerability requires valid user credentials but no user interaction, making it exploitable by compromised accounts or insider threats. QNAP has released patches as of March 21, 2025, and exploitation details are limited in public disclosures at this time.

RCE Command Injection Qnap Qts Quts Hero
CVE-2025-5806 HIGH CVSS 8.0
A cross-site scripting vulnerability (CVSS 8.0). High severity vulnerability requiring prompt remediation.

XSS Java Jenkins Gatling
CVE-2025-5799 HIGH CVSS 8.8
Critical stack-based buffer overflow vulnerability in Tenda AC8 router firmware version 16.03.34.09, affecting the wireless repeat configuration function. An authenticated remote attacker can exploit this vulnerability via the wpapsk_crypto parameter to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability impact). Public proof-of-concept code exists and exploitation is feasible, making this an actively exploitable threat requiring immediate patching.

Buffer Overflow Tenda Ac8 Firmware
CVE-2025-5798 HIGH CVSS 8.8
Critical stack-based buffer overflow vulnerability in Tenda AC8 router firmware version 16.03.34.09, exploitable via the timeType parameter in the /goform/SetSysTimeCfg endpoint. An authenticated remote attacker can leverage this vulnerability to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit disclosure and confirmed proof-of-concept availability indicate active threat potential, though exploitation requires valid authentication credentials.

Buffer Overflow Tenda Ac8 Firmware
CVE-2025-5795 HIGH CVSS 8.8
Critical buffer overflow vulnerability in Tenda AC5 router firmware (version 1.0/15.03.06.47) affecting the LAN IP configuration function. An authenticated attacker can remotely exploit improper input validation on the 'lanMask' parameter to achieve remote code execution with high confidentiality, integrity, and availability impact. Public exploit code is available and the vulnerability meets active exploitation criteria.

Buffer Overflow Tenda Ac5 Firmware
CVE-2025-5794 HIGH CVSS 8.8
A buffer overflow vulnerability (CVSS 8.8). Risk factors: public PoC available.

Buffer Overflow Tenda Ac5 Firmware
CVE-2025-5793 HIGH CVSS 8.8
A critical buffer overflow vulnerability exists in TOTOLINK EX1200T firmware version 4.1.2cu.5232_B20210713 in the HTTP POST request handler for the /boafrm/formPortFw endpoint. An authenticated attacker can exploit this by manipulating the 'service_type' parameter to achieve remote code execution with high impact to confidentiality, integrity, and availability (CVSS 8.8). Public exploits are available, making this an active threat.

RCE Buffer Overflow TP-Link Ex1200t Firmware TOTOLINK
CVE-2025-5792 HIGH CVSS 8.8
A buffer overflow vulnerability (CVSS 8.8). Risk factors: public PoC available.

RCE Buffer Overflow TP-Link Ex1200t Firmware TOTOLINK
CVE-2025-5791 HIGH CVSS 7.1
Privilege escalation vulnerability in the Rust 'users' crate that incorrectly includes the root group in access control lists when a user or process has fewer than 1024 groups. An authenticated local attacker with low privileges can exploit this flaw to gain unauthorized access to resources restricted to the root group, achieving privilege escalation. The vulnerability requires local access and existing user privileges but has high impact on confidentiality and integrity.

Privilege Escalation Red Hat Rust Suse
CVE-2025-5790 HIGH CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK X15 firmware version 1.0.0-B20230714.1105 affecting the HTTP POST request handler for the /boafrm/formIpQoS endpoint. An authenticated remote attacker can exploit improper input validation on the 'mac' parameter to achieve buffer overflow, resulting in complete compromise of confidentiality, integrity, and availability (CIA triad). Public exploit disclosure and proof-of-concept availability significantly elevate real-world exploitation risk.

Buffer Overflow TP-Link X15 Firmware TOTOLINK
CVE-2025-5789 HIGH CVSS 8.8
A critical buffer overflow vulnerability exists in TOTOLINK X15 firmware version 1.0.0-B20230714.1105 affecting the HTTP POST request handler in the /boafrm/formPortFw endpoint. An authenticated attacker can exploit the unsanitized 'service_type' parameter to trigger a buffer overflow, achieving remote code execution with high impact on confidentiality, integrity, and availability. Public exploit code is available and the vulnerability meets criteria for active exploitation risk.

RCE Buffer Overflow TP-Link X15 Firmware TOTOLINK
CVE-2025-5788 HIGH CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK X15 router firmware version 1.0.0-B20230714.1105, affecting the HTTP POST request handler at endpoint /boafrm/formReflashClientTbl. An authenticated remote attacker can exploit improper argument validation in the 'submit-url' parameter to achieve complete system compromise including confidentiality, integrity, and availability breaches. Public exploit code exists and the vulnerability meets CISA KEV criteria for active exploitation risk.

Buffer Overflow TP-Link X15 Firmware TOTOLINK
CVE-2025-5787 HIGH CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK X15 firmware version 1.0.0-B20230714.1105 affecting the HTTP POST request handler at endpoint /boafrm/formWsc. An authenticated remote attacker can exploit this via a malicious 'submit-url' parameter to achieve remote code execution with high impact on confidentiality, integrity, and availability. Public exploit code is available, creating immediate risk for affected deployments.

RCE Buffer Overflow TP-Link X15 Firmware TOTOLINK
CVE-2025-5786 HIGH CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK X15 1.0.0-B20230714.1105 affecting the DMZ configuration HTTP POST handler. An authenticated attacker can exploit a malformed 'submit-url' parameter in the /boafrm/formDMZ endpoint to achieve remote code execution with full system compromise (confidentiality, integrity, and availability impact). A proof-of-concept exploit has been publicly disclosed, and the vulnerability may be actively exploited in the wild.

RCE Buffer Overflow TP-Link X15 Firmware TOTOLINK
CVE-2025-5785 HIGH CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK X15 router firmware (version 1.0.0-B20230714.1105) affecting the HTTP POST request handler for the /boafrm/formWirelessTbl endpoint. An authenticated attacker can exploit the 'submit-url' parameter to trigger a buffer overflow, achieving remote code execution with full system compromise (confidentiality, integrity, and availability impact). The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk in production environments.

Buffer Overflow X15 Firmware TOTOLINK
CVE-2025-5750 HIGH CVSS 8.8
Heap-based buffer overflow vulnerability in WOLFBOX Level 2 EV Charger that allows network-adjacent attackers to execute arbitrary code without authentication. The flaw exists in the tuya_svc_devos_activate_result_parse function where insufficient validation of secKey, localKey, stdTimeZone, and devId parameters enables remote code execution. With a CVSS score of 8.8 and network-adjacent attack vector, this represents a critical risk for deployed EV charging infrastructure.

RCE Buffer Overflow Level 2 Ev Charger Firmware
CVE-2025-5749 HIGH CVSS 8.8
Critical authentication bypass vulnerability in WOLFBOX Level 2 EV Charger devices caused by uninitialized cryptographic key variables in BLE vendor-specific encrypted communications. Network-adjacent attackers can completely bypass authentication without credentials, gaining full system access (confidentiality, integrity, and availability compromise). The vulnerability (CVSS 8.8) affects encrypted BLE communications and represents a significant risk to EV charging infrastructure security, though real-world exploitation likelihood depends on proximity requirements and patch availability from WOLFBOX.

Authentication Bypass Level 2 Ev Charger Firmware
CVE-2025-5748 HIGH CVSS 8.0
Critical remote code execution vulnerability in WOLFBOX Level 2 EV Charger devices that exploits an exposed dangerous method in the Tuya communications module, allowing network-adjacent attackers to upload and execute arbitrary code despite authentication requirements. The authentication bypass mechanism combined with the exposed software upload functionality creates a high-severity attack path that can grant attackers complete control over affected EV charger installations. This vulnerability (formerly ZDI-CAN-26349) presents significant risk to vehicle charging infrastructure and connected IoT deployments relying on Tuya-based communication protocols.

Authentication Bypass RCE IoT Level 2 Ev Charger Firmware
CVE-2025-5747 HIGH CVSS 8.0
Remote code execution vulnerability in WOLFBOX Level 2 EV Charger devices caused by improper frame parsing in the Microcontroller Unit (MCU) firmware. Network-adjacent attackers with valid authentication credentials can exploit a frame start detection flaw to misinterpret command input and execute arbitrary code with full device privileges. While no public exploit code or active KEV listing is confirmed from the provided data, the CVSS 8.0 score and requirement for authentication (not public network access) suggest moderate real-world exploitability; however, this should be verified against EPSS scores and vendor advisories for actual threat intelligence integration.

RCE Level 2 Ev Charger Firmware
CVE-2025-5739 HIGH CVSS 8.8
A critical buffer overflow vulnerability exists in TOTOLINK X15 firmware version 1.0.0-B20230714.1105, affecting the HTTP POST request handler in the /boafrm/formSaveConfig endpoint. An authenticated attacker can exploit the unsanitized 'submit-url' parameter to trigger a buffer overflow, potentially achieving remote code execution with full system compromise (confidentiality, integrity, and availability impact). The vulnerability has been publicly disclosed with exploit proof-of-concept available, creating immediate real-world risk.

RCE Buffer Overflow TP-Link X15 Firmware TOTOLINK
CVE-2025-5738 HIGH CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK X15 router (firmware version 1.0.0-B20230714.1105) affecting the HTTP POST request handler at endpoint /boafrm/formStats. An authenticated remote attacker can exploit improper input validation on the 'submit-url' parameter to trigger a buffer overflow, achieving remote code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit code is available and the vulnerability is actively exploitable.

RCE Buffer Overflow TP-Link X15 Firmware TOTOLINK
CVE-2025-5737 HIGH CVSS 8.8
Critical remote buffer overflow vulnerability in TOTOLINK X15 router (firmware version 1.0.0-B20230714.1105) affecting the HTTP POST request handler at endpoint /boafrm/formDosCfg. An authenticated attacker can exploit improper input validation of the 'submit-url' parameter to achieve buffer overflow, leading to complete system compromise including confidentiality, integrity, and availability breaches. A public proof-of-concept exploit exists, increasing real-world exploitation risk.

Buffer Overflow TP-Link X15 Firmware TOTOLINK
CVE-2025-5736 HIGH CVSS 8.8
A critical buffer overflow vulnerability exists in TOTOLINK X15 firmware version 1.0.0-B20230714.1105 affecting the NTP configuration handler (/boafrm/formNtp). An authenticated attacker can remotely trigger a buffer overflow via the 'submit-url' parameter in HTTP POST requests, achieving remote code execution with high confidentiality, integrity, and availability impact. Public exploit code is available and the vulnerability meets active exploitation criteria.

RCE Buffer Overflow TP-Link X15 Firmware TOTOLINK
CVE-2025-5735 HIGH CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK X15 wireless router (firmware version 1.0.0-B20230714.1105) affecting the HTTP POST request handler for the /boafrm/formSetLg endpoint. An authenticated attacker can exploit the 'submit-url' parameter to trigger a buffer overflow, achieving remote code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit code has been disclosed, making this an actively exploitable vulnerability with demonstrated proof-of-concept.

RCE Buffer Overflow TP-Link X15 Firmware TOTOLINK
CVE-2025-5734 HIGH CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK X15 router firmware (version 1.0.0-B20230714.1105) affecting the HTTP POST request handler for the /boafrm/formWlanRedirect endpoint. An authenticated attacker can remotely exploit this vulnerability by manipulating the 'redirect-url' parameter to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability impact). The vulnerability has been publicly disclosed with exploit code available, significantly increasing real-world exploitation risk.

Buffer Overflow TP-Link X15 Firmware TOTOLINK
CVE-2025-5481 HIGH CVSS 7.8
Out-of-bounds write vulnerability in Sante DICOM Viewer Pro's DCM file parsing that allows remote code execution with high severity (CVSS 7.8). The vulnerability affects users who open malicious DICOM files, enabling attackers to execute arbitrary code in the application's process context. This is a user-interaction-dependent vulnerability with local attack vector, but the ability to trigger RCE via file opening makes it practically significant for targeted attacks.

RCE Buffer Overflow Dicom Viewer Pro
CVE-2025-5480 HIGH CVSS 7.8
Local privilege escalation vulnerability in Action1 where an attacker with low-privileged code execution can exploit an insecure OpenSSL configuration file loading mechanism to achieve SYSTEM-level code execution. The vulnerability requires prior code execution capability on the target system but presents a direct path to full system compromise once initial access is obtained. No active exploitation or public POC has been confirmed at this time, but the moderate CVSS score of 7.8 and CWE-427 classification indicate a meaningful risk to Action1 users.

Privilege Escalation RCE OpenSSL Agent
CVE-2025-5474 HIGH CVSS 7.3
Local privilege escalation vulnerability in 2BrightSparks SyncBackFree that allows low-privileged attackers to escalate to SYSTEM-level privileges by abusing the Mirror functionality through malicious junction creation. The vulnerability requires local code execution capability and administrator interaction, enabling arbitrary file deletion and code execution with SYSTEM privileges. This is a moderately severe local privilege escalation with a CVSS score of 7.3.

Privilege Escalation RCE Syncbackfree
CVE-2025-5473 HIGH CVSS 8.8
Critical remote code execution vulnerability in GIMP's ICO file parser caused by an integer overflow (CWE-190) that lacks proper input validation. This vulnerability affects GIMP users who open malicious ICO files or visit attacker-controlled pages serving malicious images, allowing arbitrary code execution with user privileges. The CVSS score of 8.8 reflects high severity with network-accessible attack vector and required user interaction; exploitation status and active weaponization details require cross-reference with KEV/EPSS data.

RCE Red Hat Gimp Suse
CVE-2025-5192 HIGH CVSS 7.5
Missing authentication vulnerability in Soar Cloud HRD Human Resource Management System versions up to 7.3.2025.0408 that allows unauthenticated remote attackers to bypass authentication controls and access critical application functions. The vulnerability has a CVSS score of 7.5 (High) with high confidentiality impact, indicating attackers can read sensitive HR data without credentials. While specific KEV or active exploitation status is not confirmed in available data, the network-accessible nature (AV:N), lack of authentication requirement (PR:N), and criticality of HR systems suggest elevated real-world risk.

Authentication Bypass Hr Portal
CVE-2025-5018 HIGH CVSS 7.1
The Hive Support WordPress plugin (versions ≤1.2.4) contains missing capability checks in the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions, allowing authenticated Subscriber-level users to read and modify sensitive data including OpenAI API keys, inspection data, and AI chat prompts. With a CVSS score of 7.1 and network-accessible attack vector requiring only user authentication, this vulnerability poses significant risk to WordPress installations using this plugin. The vulnerability may be a duplicate of CVE-2025-32208 or CVE-2025-32242, and patch status and active exploitation metrics are currently unknown.

WordPress Authentication Bypass
CVE-2025-3485 HIGH CVSS 8.8
Directory traversal vulnerability in Allegra's extractFileFromZip method that allows authenticated attackers to execute arbitrary code on affected systems. The vulnerability stems from insufficient path validation, enabling remote code execution in the context of the running process. With a CVSS score of 8.8 and requiring only low-privilege authentication, this represents a significant risk to Allegra deployments, though exploitation requires prior authenticated access.

RCE Path Traversal Allegra
CVE-2025-2766 HIGH CVSS 8.8
Critical authentication bypass vulnerability in the 70mai A510 dashcam that exploits default credentials in the device's user account configuration. Network-adjacent attackers can bypass authentication without any credentials and achieve remote code execution with root privileges. This vulnerability presents an immediate and severe risk due to its low attack complexity, lack of user interaction requirement, and the widespread deployment of 70mai dashcams in vehicles.

Authentication Bypass RCE A510 Firmware
CVE-2024-13088 HIGH CVSS 7.8
CVE-2024-13088 is an improper authentication vulnerability (CWE-287) affecting QHora/QuRouter that allows local network attackers with low privileges to compromise system confidentiality, integrity, and availability. The vulnerability requires local network access and low privileges but no user interaction, making it a significant risk for networked environments. Patch versions QuRouter 2.5.0.140 and later are available, though KEV/EPSS data and active exploitation status are not confirmed in the provided intelligence.

Authentication Bypass Qurouter
CVE-2023-26003 HIGH CVSS 7.6
SQL injection vulnerability in the WP Post Corrector WordPress plugin (versions up to 1.0.2) that allows authenticated attackers with high privileges to execute arbitrary SQL queries, potentially leading to unauthorized data disclosure and limited service disruption. The vulnerability requires administrator-level access to exploit, significantly limiting its immediate threat surface, though it could be chained with privilege escalation attacks.

SQLi
CVE-2023-25995 HIGH CVSS 7.5
PHP Local File Inclusion (LFI) vulnerability in choicehomemortgage AI Mortgage Calculator versions up to 1.0.1, caused by improper input validation on file inclusion statements. An authenticated attacker with low privileges can exploit this vulnerability over the network to read arbitrary files from the server, potentially leading to information disclosure, privilege escalation, or remote code execution. The high CVSS score of 7.5 reflects the severity of potential impacts (confidentiality, integrity, availability compromise), though the requirement for authenticated access and high attack complexity somewhat limit real-world exploitability.

PHP Information Disclosure LFI
CVE-2023-2921 HIGH CVSS 8.8
The Short URL WordPress plugin through version 1.6.8 contains a SQL injection vulnerability (CWE-89) in an unsanitized parameter used directly in SQL statements. This vulnerability is exploitable by low-privileged users (subscribers), allowing attackers to extract sensitive database information, modify data, or potentially execute arbitrary code. With a CVSS score of 8.8 and network-accessible attack vector requiring only low privilege level, this represents a critical risk to WordPress installations using vulnerable plugin versions.

PHP WordPress SQLi Short Url
CVE-2025-49599 MEDIUM CVSS 4.1
CVE-2025-49599 is a security vulnerability (CVSS 4.1) that allows the epuser account. Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49450 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mhallmann SEPA Girocode allows Stored XSS. This issue affects SEPA Girocode: from n/a through 0.5.1.

XSS
CVE-2025-49449 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in WP Map Plugins Interactive Regional Map of Africa allows Cross Site Request Forgery. This issue affects Interactive Regional Map of Africa: from n/a through 1.0.

CSRF
CVE-2025-49446 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in minhlaobao Admin Notes allows Cross Site Request Forgery. This issue affects Admin Notes: from n/a through 1.1.

CSRF
CVE-2025-49445 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in WP Map Plugins Interactive UK Regional Map allows Cross Site Request Forgery. This issue affects Interactive UK Regional Map: from n/a through 2.0.

CSRF
CVE-2025-49443 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris McCoy Bacon Ipsum allows Stored XSS. This issue affects Bacon Ipsum: from n/a through 2.4.

XSS
CVE-2025-49442 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mostafa Shahiri Simple Nested Menu allows Stored XSS. This issue affects Simple Nested Menu: from n/a through 1.0.

XSS
CVE-2025-49441 MEDIUM CVSS 5.3
Missing Authorization vulnerability in WP Map Plugins Interactive Regional Map of Florida allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Interactive Regional Map of Florida: from n/a through 1.0.

Authentication Bypass
CVE-2025-49440 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Vuong Nguyen WP Security Master allows Cross Site Request Forgery. This issue affects WP Security Master: from n/a through 1.0.2.

CSRF
CVE-2025-49439 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in mariusz88atelierweb Atelier Create CV allows Cross Site Request Forgery. This issue affects Atelier Create CV: from n/a through 1.1.2.

CSRF
CVE-2025-49435 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Hasina77 Wp Easy Allopass allows Cross Site Request Forgery. This issue affects Wp Easy Allopass: from n/a through 4.1.1.

CSRF
CVE-2025-49429 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Burnette Video Embeds allows Stored XSS. This issue affects Video Embeds: from n/a through 0.1.1.

XSS
CVE-2025-49427 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Burnette Abbie Expander allows Stored XSS. This issue affects Abbie Expander: from n/a through 1.0.1.

XSS
CVE-2025-49419 MEDIUM CVSS 5.5
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in esigngenie Foxit eSign for WordPress allows Retrieve Embedded Sensitive Data. This issue affects Foxit eSign for WordPress: from n/a through 2.0.3.

WordPress Information Disclosure
CVE-2025-49333 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wp.insider Simple Membership allows Stored XSS. This issue affects Simple Membership: from n/a through 4.6.3.

XSS
CVE-2025-49332 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in codepeople WP Time Slots Booking Form allows Cross Site Request Forgery. This issue affects WP Time Slots Booking Form: from n/a through 1.2.30.

CSRF
CVE-2025-49329 MEDIUM CVSS 6.6
Unrestricted Upload of File with Dangerous Type vulnerability in Agile Logix Store Locator WordPress allows Upload a Web Shell to a Web Server. This issue affects Store Locator WordPress: from n/a through 1.5.2.

WordPress File Upload
CVE-2025-49325 MEDIUM CVSS 4.7
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Automattic Newspack Newsletters allows Phishing. This issue affects Newspack Newsletters: from n/a through 3.13.0.

Open Redirect
CVE-2025-49324 MEDIUM CVSS 5.3
Missing Authorization vulnerability in PickPlugins Job Board Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Job Board Manager: from n/a through 2.1.60.

Authentication Bypass
CVE-2025-49322 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SeedProd 404 Page by SeedProd allows Stored XSS. This issue affects 404 Page by SeedProd: from n/a through n/a.

XSS
CVE-2025-49320 MEDIUM CVSS 5.3
A remote code execution vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

WordPress Authentication Bypass
CVE-2025-49318 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPtouch WPtouch allows Stored XSS. This issue affects WPtouch: from n/a through 4.3.60.

XSS
CVE-2025-49317 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in NTC WP Page Loading allows Cross Site Request Forgery. This issue affects WP Page Loading: from n/a through 1.0.6.

CSRF
CVE-2025-49314 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ovatheme BRW allows Stored XSS. This issue affects BRW: from n/a through 1.8.6.

XSS
CVE-2025-49311 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy The Events Calendar Countdown Addon allows Stored XSS. This issue affects The Events Calendar Countdown Addon: from n/a through 1.4.9.

XSS
CVE-2025-49310 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M A Vinoth Kumar Frontend Dashboard allows Stored XSS. This issue affects Frontend Dashboard: from n/a through 2.2.8.

XSS
CVE-2025-49309 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Team Member allows Stored XSS. This issue affects HT Team Member: from n/a through 1.1.7.

XSS
CVE-2025-49306 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS. This issue affects WP Social Widget: from n/a through 2.3.

XSS
CVE-2025-49305 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in impleCode Product Catalog Simple allows Stored XSS. This issue affects Product Catalog Simple: from n/a through 1.8.1.

XSS
CVE-2025-49304 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeManas Search with Typesense allows Stored XSS. This issue affects Search with Typesense: from n/a through 2.0.10.

XSS
CVE-2025-49301 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsoul Greenshift allows DOM-Based XSS. This issue affects Greenshift: from n/a through 11.5.5.

XSS
CVE-2025-49299 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPlugged.com WebHotelier allows Stored XSS. This issue affects WebHotelier: from n/a through 1.9.2.

XSS
CVE-2025-49298 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bastien Ho Event post allows Stored XSS. This issue affects Event post: from n/a through 5.10.1.

XSS
CVE-2025-49294 MEDIUM CVSS 5.3
Insertion of Sensitive Information Into Sent Data vulnerability in CodeRevolution Crawlomatic Multisite Scraper Post Generator allows Retrieve Embedded Sensitive Data. This issue affects Crawlomatic Multisite Scraper Post Generator: from n/a through 2.6.8.2.

Information Disclosure
CVE-2025-49293 MEDIUM CVSS 4.3
Missing Authorization vulnerability in CodeRevolution Crawlomatic Multisite Scraper Post Generator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Crawlomatic Multisite Scraper Post Generator: from n/a through 2.6.8.2.

Authentication Bypass
CVE-2025-49292 MEDIUM CVSS 4.3
A security vulnerability in Cozmoslabs Profile Builder allows Phishing (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-49291 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in codepeople Calculated Fields Form allows Cross Site Request Forgery. This issue affects Calculated Fields Form: from n/a through 5.3.58.

CSRF
CVE-2025-49289 MEDIUM CVSS 5.0
A security vulnerability in add-ons (CVSS 5.0). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49287 MEDIUM CVSS 4.3
Missing Authorization vulnerability in WebToffee Product Feed for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Feed for WooCommerce: from n/a through 2.2.8.

WordPress Authentication Bypass
CVE-2025-49286 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in WP Table Builder WP Table Builder allows Cross Site Request Forgery. This issue affects WP Table Builder: from n/a through 2.0.6.

CSRF
CVE-2025-49285 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent allows Cross Site Request Forgery. This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through 3.8.0.

CSRF
CVE-2025-49284 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in wp-buy WP Maintenance Mode & Site Under Construction allows Cross Site Request Forgery. This issue affects WP Maintenance Mode & Site Under Construction: from n/a through 4.3.

CSRF
CVE-2025-49283 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Matthias Nordwig Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant allows Cross Site Request Forgery. This issue affects Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant: from n/a through 4.1.1.

CSRF
CVE-2025-49273 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Bill Minozzi WP Tools allows Cross Site Request Forgery. This issue affects WP Tools: from n/a through 5.24.

CSRF
CVE-2025-49272 MEDIUM CVSS 4.3
A security vulnerability in Missing Authorization vulnerability in sergiotrinity Trinity Audio (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49270 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Mario Peshev WP-CRM System allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WP-CRM System: from n/a through 3.4.2.

Authentication Bypass
CVE-2025-49269 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Anton Vanyukov Market Exporter allows Cross Site Request Forgery. This issue affects Market Exporter: from n/a through 2.0.22.

CSRF
CVE-2025-49268 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Soft8Soft LLC Verge3D allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Verge3D: from n/a through 4.9.4.

Authentication Bypass
CVE-2025-49250 MEDIUM CVSS 4.3
Improper Control of Generation of Code ('Code Injection') vulnerability in cmoreira Team Showcase allows Code Injection. This issue affects Team Showcase: from n/a through n/a.

RCE Code Injection
CVE-2025-49248 MEDIUM CVSS 4.3
A security vulnerability in Missing Authorization vulnerability in cmoreira Team Showcase (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49246 MEDIUM CVSS 4.3
A security vulnerability in Missing Authorization vulnerability in cmoreira Testimonials Showcase (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49244 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vova Shortcodes Ultimate allows Stored XSS. This issue affects Shortcodes Ultimate: from n/a through 7.3.5.

XSS
CVE-2025-49243 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sevenspark ShiftNav - Responsive Mobile Menu allows Stored XSS. This issue affects ShiftNav - Responsive Mobile Menu: from n/a through 1.8.

XSS
CVE-2025-49242 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sevenspark Bellows Accordion Menu allows Stored XSS. This issue affects Bellows Accordion Menu: from n/a through 1.4.3.

XSS
CVE-2025-49241 MEDIUM CVSS 5.3
A security vulnerability in Missing Authorization vulnerability in bobbingwide oik (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49240 MEDIUM CVSS 4.3
A security vulnerability in Missing Authorization vulnerability in nK DocsPress (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49239 MEDIUM CVSS 5.4
Cross-Site Request Forgery (CSRF) vulnerability in tychesoftwares Print Invoice & Delivery Notes for WooCommerce allows Cross Site Request Forgery. This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through 5.5.0.

WordPress CSRF
CVE-2025-49238 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in everestthemes Everest Backup allows Cross Site Request Forgery. This issue affects Everest Backup: from n/a through 2.3.3.

CSRF
CVE-2025-49236 MEDIUM CVSS 5.3
A security vulnerability in raychat Raychat allows Accessing Functionality Not Properly Constrained by ACLs (CVSS 5.3) that allows accessing functionality not properly constrained. Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-49235 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rometheme RTMKit Addons for Elementor allows Stored XSS. This issue affects RTMKit Addons for Elementor: from n/a through 1.6.0.

XSS
CVE-2025-49128 MEDIUM CVSS 4.0
Jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible information disclosure in systems using pooled or reused buffers, like Netty or Vert.x. This issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via PR #652. All users should upgrade to version 2.13.0 or later. If upgrading is not immediately possible, applications can mitigate the issue by disabling exception message exposure to clients to avoid returning parsing exception messages in HTTP responses and/or disabling source inclusion in exceptions to prevent Jackson from embedding any source content in exception messages, avoiding leakage.

Information Disclosure Debian Ubuntu Red Hat
CVE-2025-49077 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in ThemeHigh Dynamic Pricing and Discount Rules allows Cross Site Request Forgery.This issue affects Dynamic Pricing and Discount Rules: from n/a through 2.2.9.

CSRF
CVE-2025-49076 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH Innovations The Plus Addons for Elementor Page Builder Lite allows Stored XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 6.2.7.

XSS
CVE-2025-49075 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Wishlist allows Stored XSS.This issue affects Wishlist: from n/a through 1.0.43.

XSS
CVE-2025-49074 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemesGrove WidgetKit allows Stored XSS.This issue affects WidgetKit: from n/a through 2.5.4.

XSS
CVE-2025-49068 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OceanWP Ocean Extra allows Stored XSS.This issue affects Ocean Extra: from n/a through 2.4.8.

XSS
CVE-2025-49067 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NasaTheme Nasa Core allows Stored XSS.This issue affects Nasa Core: from n/a before 6.4.1.

XSS
CVE-2025-48910 MEDIUM CVSS 5.5
Buffer overflow vulnerability in the DFile module Impact: Successful exploitation of this vulnerability may affect availability.

Buffer Overflow Heap Overflow Harmonyos
CVE-2025-48908 MEDIUM CVSS 6.7
CVE-2025-48908 is a security vulnerability (CVSS 6.7). Remediation should follow standard vulnerability management procedures.

Information Disclosure Harmonyos
CVE-2025-48907 MEDIUM CVSS 6.2
Deserialization vulnerability in the IPC module Impact: Successful exploitation of this vulnerability may affect availability.

Deserialization Harmonyos
CVE-2025-48904 MEDIUM CVSS 4.4
CVE-2025-48904 is a security vulnerability (CVSS 4.4). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Harmonyos
CVE-2025-48902 MEDIUM CVSS 6.6
A remote code execution vulnerability (CVSS 6.6). Remediation should follow standard vulnerability management procedures.

Information Disclosure Emui Harmonyos
CVE-2025-48337 MEDIUM CVSS 5.3
Missing Authorization vulnerability in QuickcabWP QuickCab.This issue affects QuickCab: from n/a through 1.3.3.

Authentication Bypass
CVE-2025-48335 MEDIUM CVSS 5.4
Missing Authorization vulnerability in CyberChimps Responsive Plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Plus: from n/a through 3.2.0.

Authentication Bypass
CVE-2025-48328 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Daman Jeet Real Time Validation for Gravity Forms allows Cross Site Request Forgery.This issue affects Real Time Validation for Gravity Forms: from n/a through 1.7.0.

CSRF
CVE-2025-41367 MEDIUM CVSS 4.8
Stored Cross-Site Scripting (XSS) vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious JavaScript payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and executing certain commands that can only be executed with permissions higher than the view permission.

XSS
CVE-2025-41366 MEDIUM CVSS 5.1
A remote code execution vulnerability in IDF (CVSS 5.1). Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-41365 MEDIUM CVSS 5.1
Code injection vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and executing certain commands that can be executed only with permissions higher than the view permission.

RCE Code Injection
CVE-2025-41364 MEDIUM CVSS 5.1
Stored Cross-Site Scripting (XSS) vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious JavaScript payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and executing certain commands that can be executed with view permission.

XSS
CVE-2025-41363 MEDIUM CVSS 5.3
A remote code execution vulnerability in IDF (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-41362 MEDIUM CVSS 5.3
Code injection vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and executing certain commands that can be executed with view permission.

RCE Code Injection
CVE-2025-38002 MEDIUM CVSS 5.5
CVE-2025-38002 is a security vulnerability (CVSS 5.5). Risk factors: public PoC available. Vendor patch is available.

Information Disclosure Linux Debian Ubuntu Red Hat
CVE-2025-38001 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the check and insert the class twice in the eltree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue for the reasons we already explained in this report [5]. However, if TBF is added as root qdisc and it is configured with a very low rate, it can be utilized to prevent packets from being dequeued. This behavior can be exploited to perform subsequent insertions in the HFSC eltree and cause a UAF." To fix both the UAF and the infinite loop, with netem as an hfsc child, check explicitly in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u

Denial Of Service Linux Debian Ubuntu Red Hat
CVE-2025-36513 MEDIUM CVSS 4.3
Cross-site request forgery vulnerability exists in surveillance cameras provided by i-PRO Co., Ltd.. If a user views a crafted page while logged in to the affected product, unintended operations may be performed.

CSRF
CVE-2025-33035 MEDIUM CVSS 6.5
A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later

Path Traversal File Station
CVE-2025-31025 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blocksera Image Hover Effects Block allows Stored XSS. This issue affects Image Hover Effects Block: from n/a through 1.4.5.

XSS
CVE-2025-31000 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Miguel Fuentes Payment QR WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment QR WooCommerce: from n/a through 1.1.6.

WordPress Authentication Bypass
CVE-2025-30997 MEDIUM CVSS 5.4
Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Car Repair Services allows Server Side Request Forgery. This issue affects Car Repair Services: from n/a through 5.0.

SSRF
CVE-2025-30994 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Emraan Cheema CubeWP - All-in-One Dynamic Content Framework allows Cross Site Request Forgery. This issue affects CubeWP - All-in-One Dynamic Content Framework: from n/a through 1.1.23.

CSRF
CVE-2025-30991 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Premium Packages allows Stored XSS. This issue affects Premium Packages: from n/a through 6.0.2.

XSS
CVE-2025-30990 MEDIUM CVSS 4.3
Missing Authorization vulnerability in ThemeHunk ThemeHunk allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ThemeHunk: from n/a through 1.1.1.

Authentication Bypass
CVE-2025-30986 MEDIUM CVSS 5.4
Cross-Site Request Forgery (CSRF) vulnerability in _CreativeMedia_ Elite Video Player allows Cross Site Request Forgery. This issue affects Elite Video Player: from n/a through 10.0.5.

CSRF
CVE-2025-30981 MEDIUM CVSS 6.3
Cross-Site Request Forgery (CSRF) vulnerability in tggfref WP-Recall allows Privilege Escalation. This issue affects WP-Recall: from n/a through 16.26.14.

Privilege Escalation CSRF
CVE-2025-30980 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Alessandro Piconi Simple Keyword to Link allows Cross Site Request Forgery. This issue affects Simple Keyword to Link: from n/a through 1.5.

CSRF
CVE-2025-30978 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Dor Zuberi Slack Notifications by dorzki allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Slack Notifications by dorzki: from n/a through 2.0.7.

Authentication Bypass
CVE-2025-30977 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chaport Live Chat WP Live Chat + Chatbots Plugin for WordPress - Chaport allows Stored XSS. This issue affects WP Live Chat + Chatbots Plugin for WordPress - Chaport: from n/a through 1.1.5.

WordPress XSS
CVE-2025-30976 MEDIUM CVSS 4.9
Server-Side Request Forgery (SSRF) vulnerability in wpdive Nexa Blocks allows Server Side Request Forgery. This issue affects Nexa Blocks: from n/a through 1.1.0.

SSRF
CVE-2025-30974 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Akhtarujjaman Shuvo Post Grid Master allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Post Grid Master: from n/a through 3.4.13.

Authentication Bypass
CVE-2025-30968 MEDIUM CVSS 5.4
Cross-Site Request Forgery (CSRF) vulnerability in jokerbr313 Advanced Post List allows Cross Site Request Forgery. This issue affects Advanced Post List: from n/a through 0.5.6.2.

CSRF
CVE-2025-30958 MEDIUM CVSS 5.4
A security vulnerability in Missing Authorization vulnerability in onOffice GmbH onOffice for WP-Websites (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-30957 MEDIUM CVSS 5.4
Missing Authorization vulnerability in BuddyDev Activity Plus Reloaded for BuddyPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Activity Plus Reloaded for BuddyPress: from n/a through 1.1.2.

Authentication Bypass
CVE-2025-30956 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Booqable Rental Software Booqable Rental allows Cross Site Request Forgery. This issue affects Booqable Rental: from n/a through 2.4.20.

CSRF
CVE-2025-30954 MEDIUM CVSS 4.7
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks WP Gravity Forms Constant Contact Plugin allows Phishing. This issue affects WP Gravity Forms Constant Contact Plugin: from n/a through 1.1.0.

Open Redirect
CVE-2025-30953 MEDIUM CVSS 4.7
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks WP Gravity Forms Salesforce allows Phishing. This issue affects WP Gravity Forms Salesforce: from n/a through 1.4.7.

Open Redirect
CVE-2025-30952 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdive Nexa Blocks allows Stored XSS. This issue affects Nexa Blocks: from n/a through 1.1.0.

XSS
CVE-2025-30951 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stiofan BlockStrap Page Builder - Bootstrap Blocks allows Stored XSS. This issue affects BlockStrap Page Builder - Bootstrap Blocks: from n/a through 0.1.36.

XSS
CVE-2025-30950 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Wham All Currencies for WooCommerce woocommerce-all-currencies allows Stored XSS.This issue affects All Currencies for WooCommerce: from n/a through 2.4.3.

WordPress XSS
CVE-2025-30948 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Giraphix Creative Layouts for Elementor allows Cross Site Request Forgery. This issue affects Layouts for Elementor: from n/a through 1.11.

CSRF
CVE-2025-30946 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Michael Cannon Custom Bulk/Quick Edit allows Cross Site Request Forgery. This issue affects Custom Bulk/Quick Edit: from n/a through 1.6.10.

CSRF
CVE-2025-30945 MEDIUM CVSS 5.3
A security vulnerability in Missing Authorization vulnerability in taskbuilder Taskbuilder (CVSS 5.3) that allows accessing functionality not properly constrained. Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-30942 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Post Custom Templates Lite allows Stored XSS. This issue affects Post Custom Templates Lite: from n/a through 1.14.

XSS
CVE-2025-30941 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marvie Pons Pinterest Verify Meta Tag allows Stored XSS. This issue affects Pinterest Verify Meta Tag: from n/a through 1.3.

XSS
CVE-2025-30940 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in melipayamak Melipayamak allows Stored XSS. This issue affects Melipayamak: from n/a through 2.2.12.

XSS
CVE-2025-30939 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Debashish IFrame Widget allows Stored XSS. This issue affects IFrame Widget: from n/a through 4.1.

XSS
CVE-2025-30938 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in broadly Broadly for WordPress allows Stored XSS. This issue affects Broadly for WordPress: from n/a through 3.0.2.

WordPress XSS
CVE-2025-30937 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stefanledin Responsify WP allows Stored XSS. This issue affects Responsify WP: from n/a through 1.9.11.

XSS
CVE-2025-30935 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NickDuncan Contact Form allows DOM-Based XSS. This issue affects Contact Form: from n/a through 2.0.12.

XSS
CVE-2025-30934 MEDIUM CVSS 5.3
Missing Authorization vulnerability in OLIVESYSTEM 診断ジェネレータ作成プラグイン allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects 診断ジェネレータ作成プラグイン: from n/a through 1.4.16.

Authentication Bypass
CVE-2025-30932 MEDIUM CVSS 5.4
Missing Authorization vulnerability in WP Compress WP Compress for MainWP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Compress for MainWP: from n/a through 6.30.32.

Authentication Bypass
CVE-2025-30931 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shamil Shafeev «Подсказки» от DaData.ru allows Stored XSS. This issue affects «Подсказки» от DaData.ru: from n/a through 1.0.6.

XSS
CVE-2025-30930 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Unreal Themes ACF: Yandex Maps Field allows Stored XSS. This issue affects ACF: Yandex Maps Field: from n/a through 1.1.

XSS
CVE-2025-30928 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vicchi WP Biographia allows Stored XSS. This issue affects WP Biographia: from n/a through 4.0.0.

XSS
CVE-2025-30927 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Wordapp Team Wordapp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wordapp: from n/a through 1.7.0.

Authentication Bypass
CVE-2025-30638 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PowieT Powie's Uptime Robot allows Stored XSS. This issue affects Powie's Uptime Robot: from n/a through 0.9.7.

XSS
CVE-2025-30637 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Deetronix Booking Ultra Pro allows Stored XSS. This issue affects Booking Ultra Pro: from n/a through 1.1.20.

XSS
CVE-2025-30636 MEDIUM CVSS 5.4
Missing Authorization vulnerability in Ability, Inc Accessibility Suite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accessibility Suite: from n/a through 4.19.

Authentication Bypass
CVE-2025-30634 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IWEBIX WP Featured Content Slider allows Stored XSS. This issue affects WP Featured Content Slider: from n/a through 2.6.

XSS
CVE-2025-30632 MEDIUM CVSS 5.4
Cross-Site Request Forgery (CSRF) vulnerability in pozzad Global Translator allows Cross Site Request Forgery. This issue affects Global Translator: from n/a through 2.0.2.

CSRF
CVE-2025-30630 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pozzad Global Translator allows Stored XSS. This issue affects Global Translator: from n/a through 2.0.2.

XSS
CVE-2025-30629 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Codehaveli Bitly URL Shortener allows Cross Site Request Forgery. This issue affects Bitly URL Shortener: from n/a through 1.3.3.

CSRF
CVE-2025-30627 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in regolithsjk Elegant Visitor Counter allows Stored XSS. This issue affects Elegant Visitor Counter: from n/a through 3.1.

XSS
CVE-2025-30625 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matt Pramschufer AppBanners allows Stored XSS. This issue affects AppBanners: from n/a through 1.5.14.

XSS
CVE-2025-30624 MEDIUM CVSS 4.3
Missing Authorization vulnerability in WordLift WordLift allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordLift: from n/a through 3.54.4.

Authentication Bypass
CVE-2025-29871 MEDIUM CVSS 5.5
An out-of-bounds read vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later

Buffer Overflow Information Disclosure File Station
CVE-2025-29013 MEDIUM CVSS 5.4
CVE-2025-29013 is a security vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-29011 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CHR Designer YouTube Simple Gallery allows Stored XSS. This issue affects YouTube Simple Gallery: from n/a through 2.2.0.

XSS
CVE-2025-29010 MEDIUM CVSS 4.3
A security vulnerability in Missing Authorization vulnerability in eleopard Behance Portfolio Manager (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-29008 MEDIUM CVSS 4.9
Server-Side Request Forgery (SSRF) vulnerability in ShawonPro SocialMark allows Server Side Request Forgery. This issue affects SocialMark: from n/a through 2.0.7.

SSRF
CVE-2025-29006 MEDIUM CVSS 5.3
A remote code execution vulnerability (CVSS 5.3) that allows accessing functionality not properly constrained. Remediation should follow standard vulnerability management procedures.

WordPress Authentication Bypass
CVE-2025-29005 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in weblizar HR Management Lite allows Cross Site Request Forgery. This issue affects HR Management Lite: from n/a through 3.3.

CSRF
CVE-2025-29003 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mva7 The Holiday Calendar allows Stored XSS. This issue affects The Holiday Calendar: from n/a through 1.18.2.1.

XSS
CVE-2025-28997 MEDIUM CVSS 5.3
Missing Authorization vulnerability in EXEIdeas International WP AutoKeyword allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP AutoKeyword: from n/a through 1.0.

Authentication Bypass
CVE-2025-28996 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Thad Allender GPP Slideshow allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GPP Slideshow: from n/a through 1.3.5.

Authentication Bypass
CVE-2025-28995 MEDIUM CVSS 5.3
A security vulnerability in Missing Authorization vulnerability in viralloops Viral Loops WP Integration (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-28994 MEDIUM CVSS 4.3
A security vulnerability in Missing Authorization vulnerability in viralloops Viral Loops WP Integration (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-28989 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arildur Read More Login allows Stored XSS. This issue affects Read More Login: from n/a through 2.0.3.

XSS
CVE-2025-28985 MEDIUM CVSS 5.4
Missing Authorization vulnerability in Elastic Email Elastic Email Subscribe Form allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elastic Email Subscribe Form: from n/a through 1.2.2.

Authentication Bypass Elastic
CVE-2025-28984 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in storepro Subscription Renewal Reminders for WooCommerce allows Cross Site Request Forgery. This issue affects Subscription Renewal Reminders for WooCommerce: from n/a through 1.3.7.

WordPress CSRF
CVE-2025-28952 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Jonathan Lau CubePoints allows Cross Site Request Forgery. This issue affects CubePoints: from n/a through 3.2.1.

CSRF
CVE-2025-27360 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in WP Corner Quick Event Calendar allows Cross Site Request Forgery. This issue affects Quick Event Calendar: from n/a through 1.4.9.

CSRF
CVE-2025-27359 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Seerox WP Media File Type Manager allows Cross Site Request Forgery. This issue affects WP Media File Type Manager: from n/a through 2.3.0.

CSRF
CVE-2025-27334 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ángel C. Simple Google Static Map allows DOM-Based XSS. This issue affects Simple Google Static Map: from n/a through 1.0.1.

XSS Google
CVE-2025-26593 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in FasterThemes FastBook allows Cross Site Request Forgery. This issue affects FastBook: from n/a through 1.1.

CSRF
CVE-2025-24778 MEDIUM CVSS 5.4
Missing Authorization vulnerability in De paragon No Spam At All allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects No Spam At All: from n/a through 1.3.

Authentication Bypass
CVE-2025-24776 MEDIUM CVSS 5.4
A security vulnerability in Missing Authorization vulnerability in codelobster Responsive Flipbooks (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-24772 MEDIUM CVSS 5.4
Cross-Site Request Forgery (CSRF) vulnerability in cmsMinds Pay with Contact Form 7 allows Cross Site Request Forgery. This issue affects Pay with Contact Form 7: from n/a through 1.0.4.

CSRF
CVE-2025-24763 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Pascal Casier bbPress API allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects bbPress API: from n/a through 1.0.14.

Authentication Bypass
CVE-2025-24762 MEDIUM CVSS 5.4
A remote code execution vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

WordPress Authentication Bypass
CVE-2025-23971 MEDIUM CVSS 5.3
A security vulnerability in Missing Authorization vulnerability in whassan KI Live Video Conferences (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-23969 MEDIUM CVSS 5.3
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in whassan KI Live Video Conferences allows Retrieve Embedded Sensitive Data. This issue affects KI Live Video Conferences: from n/a through 5.5.15.

Information Disclosure
CVE-2025-5778 MEDIUM CVSS 5.5
Critical SQL injection vulnerability in 1000 Projects ABC Courier Management System version 1.0, affecting the /admin endpoint's Username parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept availability, significantly increasing real-world exploitation risk.

SQLi
CVE-2025-5760 MEDIUM CVSS 4.9
The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin’s logger captures the entire contents of $_POST (and sometimes raw request bodies or $_GET) without redacting any password‐related keys. As a result, whenever a user submits a login form, whether via native wp_login or a third‐party login widget, their actual password is written in clear text into the logs. An authenticated attacker or any user whose actions generate a login event will have their password recorded; an administrator (or anyone with database read access) can then read those logs and retrieve every captured password.

PHP WordPress Information Disclosure
CVE-2025-5759 MEDIUM CVSS 5.5
Critical SQL injection vulnerability in PHPGurukul Local Services Search Engine Management System version 2.1, specifically in the /admin/edit-person-detail.php file where the 'editid' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit code available and may be actively exploited in the wild.

PHP SQLi
CVE-2025-5758 MEDIUM CVSS 5.5
Critical SQL injection vulnerability in SourceCodester Open Source Clinic Management System v1.0, specifically in the /doctor.php file where the 'doctorname' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of sensitive healthcare information. The vulnerability has public exploit disclosure and may be actively exploited.

PHP SQLi
CVE-2025-5756 MEDIUM CVSS 5.5
Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0, specifically in the /Admin/EditCity.php endpoint. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The exploit has been publicly disclosed with proof-of-concept code available, and the vulnerability is likely being actively exploited in the wild.

PHP SQLi
CVE-2025-5755 MEDIUM CVSS 5.5
SourceCodester Open Source Clinic Management System version 1.0 contains a critical SQL injection vulnerability in the /email_config.php file affecting the 'email' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or system compromise. Public disclosure and exploit code availability significantly elevate real-world risk.

PHP SQLi
CVE-2025-5751 MEDIUM CVSS 6.8
WOLFBOX Level 2 EV Charger Management Card Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to bypass authentication on affected installations of WOLFBOX Level 2 EV Charger. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of management cards. The issue results from the lack of personalization of management cards. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26292.

Authentication Bypass Level 2 Ev Charger Firmware
CVE-2025-5733 MEDIUM CVSS 5.3
A security vulnerability in for WordPress is vulnerable to Full Path Disclosure in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

PHP WordPress Information Disclosure
CVE-2025-5719 MEDIUM CVSS 5.1
The wallet has an authentication bypass vulnerability that allows access to specific pages.

Authentication Bypass
CVE-2025-5716 MEDIUM CVSS 5.5
A remote code execution vulnerability in A vulnerability classified as critical (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
CVE-2025-5712 MEDIUM CVSS 5.5
Critical SQL injection vulnerability in SourceCodester Open Source Clinic Management System 1.0 affecting the /appointment.php file's patient parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The exploit has been publicly disclosed with proof-of-concept availability, significantly elevating real-world exploitation risk.

PHP SQLi
CVE-2025-5711 MEDIUM CVSS 5.5
Critical SQL injection vulnerability in code-projects Real Estate Property Management System 1.0, specifically in the /Admin/InsertCity.php file's cmbState parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making active exploitation likely.

PHP SQLi
CVE-2025-5710 MEDIUM CVSS 5.5
A SQL injection vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
CVE-2025-5709 MEDIUM CVSS 5.5
Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0 affecting the /Admin/InsertCategory.php endpoint. An unauthenticated remote attacker can manipulate the txtCategoryName parameter to execute arbitrary SQL commands, potentially compromising database confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available, making active exploitation a significant risk.

PHP SQLi
CVE-2025-5708 MEDIUM CVSS 5.5
Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0, specifically in the /Admin/NewsReport.php file where the 'txtFrom' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

PHP SQLi
CVE-2025-5707 MEDIUM CVSS 5.5
Critical SQL injection vulnerability in PHPGurukul Human Metapneumovirus Testing Management System 1.0, affecting the /registered-user-testing.php file via the 'testtype' parameter. An unauthenticated remote attacker can exploit this vulnerability to read, modify, or delete sensitive database records without user interaction. The exploit has been publicly disclosed and is likely actively exploited in the wild, making this a high-priority security issue despite the moderate CVSS 7.3 score.

PHP SQLi
CVE-2025-5706 MEDIUM CVSS 5.5
Critical SQL injection vulnerability in PHPGurukul Human Metapneumovirus Testing Management System version 1.0, affecting the /new-user-testing.php endpoint where the 'state' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability has public exploit code available and poses immediate risk to deployed instances.

PHP SQLi
CVE-2025-5705 MEDIUM CVSS 5.5
Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0, specifically in the /Admin/Property.php file where the 'cmbCat' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the property management database. The exploit has been publicly disclosed with proof-of-concept code available, significantly elevating real-world exploitation risk.

PHP SQLi
CVE-2025-5703 MEDIUM CVSS 6.4
The StageShow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘anchor’ parameter in all versions up to, and including, 10.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PHP WordPress XSS Stageshow
CVE-2025-5699 MEDIUM CVSS 5.5
The Developer Formatter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2015.0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PHP WordPress XSS
CVE-2025-5686 MEDIUM CVSS 6.4
The Paged Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PHP WordPress XSS
CVE-2025-5586 MEDIUM CVSS 6.4
The WordPress Ajax Load More and Infinite Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PHP WordPress XSS
CVE-2025-5565 MEDIUM CVSS 6.4
The Hide It plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hideit' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PHP WordPress XSS
CVE-2025-5563 MEDIUM CVSS 6.5
The WP-Addpub plugin for WordPress is vulnerable to SQL Injection via the 'wp-addpub' shortcode in all versions up to, and including, 1.2.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PHP WordPress SQLi
CVE-2025-5541 MEDIUM CVSS 6.4
The Runners Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'runnerslog' shortcode in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PHP WordPress XSS
CVE-2025-5538 MEDIUM CVSS 6.4
The BNS Featured Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bnsfc' shortcode in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PHP WordPress XSS
CVE-2025-5536 MEDIUM CVSS 6.4
The Freemind Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'freemind' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PHP WordPress XSS
CVE-2025-5534 MEDIUM CVSS 6.4
The ESV Bible Shortcode for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'esv' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PHP WordPress XSS
CVE-2025-5533 MEDIUM CVSS 6.4
The Knowledge Base plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kbalert' shortcode in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PHP WordPress XSS
CVE-2025-5239 MEDIUM CVSS 6.4
The Domain For Sale plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 3.0.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PHP WordPress XSS
CVE-2025-5019 MEDIUM CVSS 5.4
The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This ...

WordPress CSRF
CVE-2025-4966 MEDIUM CVSS 6.1
The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_results() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PHP WordPress CSRF Wp Online Users Stats
CVE-2025-4964 MEDIUM CVSS 4.9
The WP Online Users Stats plugin for WordPress is vulnerable to time-based SQL Injection via the ‘table_name’ parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PHP WordPress SQLi Wp Online Users Stats
CVE-2025-2935 MEDIUM CVSS 5.4
The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.7. This is due to missing or incorrect nonce validation in the 'ss_option_maint.php' and 'ss_user_filter_list' files. This ma...

PHP WordPress CSRF
CVE-2025-1778 MEDIUM CVSS 4.3
A security vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

PHP WordPress Authentication Bypass
CVE-2025-1777 MEDIUM CVSS 6.4
A security vulnerability in all (CVSS 6.4). Remediation should follow standard vulnerability management procedures.

PHP WordPress Authentication Bypass
CVE-2025-0620 MEDIUM CVSS 4.9
A flaw was found in Samba. The smbd service daemon does not pick up group membership changes when re-authenticating an expired SMB session. This issue can expose file shares until clients disconnect and then connect again.

Information Disclosure Path Traversal Debian Ubuntu Red Hat
CVE-2024-58114 MEDIUM CVSS 4.0
Resource allocation control failure vulnerability in the ArkUI framework Impact: Successful exploitation of this vulnerability may affect availability.

Denial Of Service Harmonyos
CVE-2024-56805 MEDIUM CVSS 5.4
A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.4.3079 build 20250321 and later QuTS hero h5.2.4.3079 build 20250321 and later

Buffer Overflow Qnap Qts Quts Hero
CVE-2024-56343 MEDIUM CVSS 4.3
IBM Verify Identity Access Digital Credentials 24.06 could allow an authenticated user to crash the service with a specially crafted POST request.

Denial Of Service IBM Verify Identity Access Digital Credentials
CVE-2024-56342 MEDIUM CVSS 4.3
IBM Verify Identity Access Digital Credentials 24.06 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.

Information Disclosure IBM Verify Identity Access Digital Credentials
CVE-2024-50406 MEDIUM CVSS 5.4
A cross-site scripting (XSS) vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers who have gained user access to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: License Center 1.9.49 and later

XSS License Center
CVE-2024-46941 MEDIUM CVSS 4.8
A security vulnerability in SystemUI (CVSS 4.8) that allows access. Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2024-22330 MEDIUM CVSS 5.9
CVE-2024-22330 is a security vulnerability (CVSS 5.9). Remediation should follow standard vulnerability management procedures.

Information Disclosure IBM Security Verify Governance
CVE-2024-13087 MEDIUM CVSS 6.7
A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and later

Command Injection Qurouter
CVE-2023-26002 MEDIUM CVSS 4.3
A security vulnerability in Missing Authorization vulnerability in 6Storage 6Storage Rentals (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2023-26001 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marchetti Design Next Event Calendar allows Stored XSS. This issue affects Next Event Calendar: from n/a through 1.2.

XSS
CVE-2023-26000 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hanhdo205 Bang tinh vay allows Stored XSS. This issue affects Bang tinh vay: from n/a through 1.0.1.

XSS
CVE-2023-25997 MEDIUM CVSS 6.5
Missing Authorization vulnerability in SolaPlugins Sola Support Ticket allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sola Support Ticket: from n/a through 3.17.

Authentication Bypass
CVE-2025-49011 LOW CVSS 3.7
A remote code execution vulnerability in SpiceDB (CVSS 3.7). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure
CVE-2025-5797 LOW CVSS 2.0
A vulnerability was found in code-projects Laundry System 1.0 and classified as problematic. This issue affects some unknown processing of the file /data/insert_type.php. The manipulation of the argument Type leads to cross site scripting. The attack may be initiated remotely. The exploit has been d...

PHP XSS
CVE-2025-5796 LOW CVSS 2.0
A vulnerability has been found in code-projects Laundry System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /data/edit_type.php. The manipulation of the argument Type leads to cross site scripting. The attack can be initiated remotely. The exploit has been d...

PHP XSS
CVE-2025-5784 LOW CVSS 2.1
A vulnerability has been found in PHPGurukul Employee Record Management System 1.3 and classified as critical. This vulnerability affects unknown code of the file /myexp.php. The manipulation of the argument emp3ctc leads to sql injection. The attack can be initiated remotely. The exploit has been d...

PHP SQLi
CVE-2025-5783 LOW CVSS 2.1
A vulnerability, which was classified as critical, was found in PHPGurukul Employee Record Management System 1.3. This affects an unknown part of the file /editmyexp.php. The manipulation of the argument emp3workduration leads to sql injection. It is possible to initiate the attack remotely. The exp...

PHP SQLi
CVE-2025-5782 LOW CVSS 2.1
A vulnerability, which was classified as critical, has been found in PHPGurukul Employee Record Management System 1.3. Affected by this issue is some unknown functionality of the file /resetpassword.php. The manipulation of the argument newpassword leads to sql injection. The attack may be launched ...

PHP SQLi
CVE-2025-5780 LOW CVSS 2.1
A vulnerability was found in code-projects Patient Record Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /view_dental.php. The manipulation of the argument itr_no leads to sql injection. The attack may be launched remotely. The expl...

PHP SQLi
CVE-2025-5779 LOW CVSS 2.1
A vulnerability has been found in code-projects Patient Record Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /birthing.php. The manipulation of the argument itr_no/comp_id leads to sql injection. The attack can be launched re...

PHP SQLi
CVE-2025-5766 LOW CVSS 2.1
A vulnerability was found in code-projects Laundry System 1.0. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CSRF
CVE-2025-5765 LOW CVSS 2.0
A vulnerability was found in code-projects Laundry System 1.0. It has been classified as problematic. This affects an unknown part of the file /data/edit_laundry.php. The manipulation of the argument Customer leads to cross site scripting. It is possible to initiate the attack remotely. The exploit ...

PHP XSS
CVE-2025-5764 LOW CVSS 2.0
A vulnerability was found in code-projects Laundry System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /data/insert_laundry.php. The manipulation of the argument Customer leads to cross site scripting. The attack may be launched remotely. The ex...

PHP XSS
CVE-2025-5763 LOW CVSS 2.0
A vulnerability has been found in Tenda CP3 11.10.00.2311090948 and classified as critical. Affected by this vulnerability is the function sub_F3C8C of the file apollo. The manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and ...

Command Injection Tenda
CVE-2025-5762 LOW CVSS 2.1
A vulnerability, which was classified as critical, was found in code-projects Patient Record Management System 1.0. Affected is an unknown function of the file view_hematology.php. The manipulation of the argument itr_no leads to sql injection. It is possible to launch the attack remotely. The explo...

PHP SQLi
CVE-2025-5761 LOW CVSS 2.1
A vulnerability, which was classified as critical, has been found in PHPGurukul BP Monitoring Management System 1.0. This issue affects some unknown processing of the file /edit-family-member.php. The manipulation of the argument memberage leads to sql injection. The attack may be initiated remotely...

PHP SQLi
CVE-2025-5757 LOW CVSS 2.0
A vulnerability was found in code-projects Traffic Offense Reporting System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /save-reported.php. The manipulation of the argument offence_id/vehicle_no/driver_license/name/address/gender/officer_re...

PHP XSS
CVE-2025-5732 LOW CVSS 2.1
A vulnerability, which was classified as problematic, was found in code-projects Traffic Offense Reporting System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and ...

CSRF
CVE-2025-5729 LOW CVSS 2.1
A vulnerability, which was classified as critical, was found in code-projects Health Center Patient Record Management System 1.0. Affected is an unknown function of the file /birthing_record.php. The manipulation of the argument itr_no leads to sql injection. It is possible to launch the attack remo...

PHP SQLi
CVE-2025-5728 LOW CVSS 2.1
A vulnerability classified as critical was found in SourceCodester Open Source Clinic Management System 1.0. This vulnerability affects unknown code of the file /manage_website.php. The manipulation of the argument website_image leads to unrestricted upload. The attack can be initiated remotely. The...

PHP Authentication Bypass File Upload
CVE-2025-5727 LOW CVSS 1.9
A vulnerability classified as problematic has been found in SourceCodester Student Result Management System 1.0. This affects an unknown part of the file /script/academic/announcement of the component Announcement Page. The manipulation of the argument Title leads to cross site scripting. It is poss...

XSS
CVE-2025-5726 LOW CVSS 1.9
A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /script/academic/division-system of the component Division System Page. The manipulation of the argument Division leads...

XSS
CVE-2025-5725 LOW CVSS 1.9
A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /script/academic/grading-system of the component Grading System Page. The manipulation of the argument Remark ...

XSS
CVE-2025-5724 LOW CVSS 1.9
A vulnerability was found in SourceCodester Student Result Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file /script/academic/subjects of the component Subjects Page. The manipulation of the argument Subject leads to cross site scripting. It is...

XSS
CVE-2025-5723 LOW CVSS 1.9
A vulnerability was found in SourceCodester Student Result Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /script/academic/classes of the component Classes Page. The manipulation of the argument Class Name leads to cross site scripting. Th...

XSS
CVE-2025-5722 LOW CVSS 1.9
A vulnerability has been found in SourceCodester Student Result Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /script/academic/terms of the component Add Academic Term. The manipulation of the argument Academic Term leads to cross site scrip...

XSS
CVE-2025-5721 LOW CVSS 1.9
A vulnerability, which was classified as problematic, was found in SourceCodester Student Result Management System 1.0. This affects an unknown part of the file /script/academic/core/update_profile of the component Profile Setting Page. The manipulation leads to cross site scripting. It is possible ...

XSS
CVE-2025-5715 LOW CVSS 0.3
A security vulnerability in A vulnerability (CVSS 3.8). Risk factors: public PoC available.

Information Disclosure Google
CVE-2025-5714 LOW CVSS 2.1
A vulnerability was found in SoluçõesCoop iSoluçõesWEB up to 20250516. It has been classified as problematic. This affects an unknown part of the file /sys/up.upload.php of the component Profile Information Update. The manipulation of the argument nomeArquivo leads to path traversal. It is possible ...

PHP Path Traversal
CVE-2025-5713 LOW CVSS 2.0
A vulnerability was found in SoluçõesCoop iSoluçõesWEB up to 20250519 and classified as problematic. Affected by this issue is some unknown functionality of the file /fluxos-dashboard of the component Flow Handler. The manipulation of the argument Descrição da solicitação leads to cross site scripti...

XSS

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities