Skip to main content
CVE-2025-26412 MEDIUM This Month

CVE-2025-26412 is a security vulnerability (CVSS 6.8) that allows an attacker. Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-4673 MEDIUM PATCH This Month

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

Information Disclosure Ubuntu Debian Red Hat Suse
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-32466 MEDIUM This Month

A SQL injection vulnerability in RSMediaGallery! component 1.7.4 - 2.1.7 for Joomla was discovered. The issue occurs within the dashboard component, where user-supplied input is not properly sanitized before being stored and rendered. An attacker can inject malicious JavaScript code into text fields or other input points, which is subsequently executed in the browser of any user who clicks on the crafted text in the dashboard.

SQLi Joomla
NVD
CVSS 4.0
6.7
EPSS
0.1%
CVE-2025-3473 MEDIUM This Month

CVE-2025-3473 is a security vulnerability (CVSS 6.7) that allows a local privileged user. Remediation should follow standard vulnerability management procedures.

Privilege Escalation IBM Guardium Data Protection
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-4605 MEDIUM PATCH This Month

A maliciously crafted .usdc file, when loaded through Autodesk Maya, can force an uncontrolled memory allocation vulnerability. A malicious actor may leverage this vulnerability to cause a denial-of-service (DoS), or cause data corruption.

Information Disclosure Universal Scene Description Maya
NVD GitHub
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-5986 MEDIUM PATCH This Month

A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability affects Thunderbird < 128.11.1 and Thunderbird < 139.0.2.

Microsoft Mozilla Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-48448 MEDIUM PATCH This Month

Allocation of Resources Without Limits or Throttling vulnerability in Drupal Admin Audit Trail allows Excessive Allocation.This issue affects Admin Audit Trail: from 0.0.0 before 1.0.5.

Denial Of Service Admin Audit Trail Drupal
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-4666 MEDIUM This Month

The Zotpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nickname’ parameter in all versions up to, and including, 7.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-5144 MEDIUM PATCH This Month

The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-date-*’ parameters in all versions up to, and including, 6.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS The Events Calendar PHP
NVD GitHub
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-26383 MEDIUM This Month

A security vulnerability in The (CVSS 6.3). Remediation should follow standard vulnerability management procedures.

Microsoft Information Disclosure Windows
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2024-35295 MEDIUM This Month

A vulnerability has been identified in Perfect Harmony GH180 (All versions >= V8.0 < V8.3.3 with NXGPro+ controller manufactured between April 2020 to April 2025). The maintenance connection of affected devices fails to protect access to the device's control unit configuration. This could allow an attacker with physical access to the maintenance connection's door port to perform arbitrary configuration changes.

Authentication Bypass
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-49150 MEDIUM PATCH This Month

Cursor is a code editor built for programming with AI. Prior to 0.51.0, by default, the setting json.schemaDownload.enable was set to True. This means that by writing a JSON file, an attacker can trigger an arbitrary HTTP GET request that does not require user confirmation. Since the Cursor Agent can edit JSON files, this means a malicious agent, for example, after a prompt injection attack already succeeded, could trigger a GET request to an attacker controlled URL, potentially exfiltrating other data the agent may have access to. This vulnerability is fixed in 0.51.0.

Information Disclosure
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-1055 MEDIUM PATCH This Month

A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL requests to terminate a wide range of processes running with administrative or system-level privileges, with the exception of those inherently protected by the operating system. This flaw stems from missing access control in the driver's IOCTL handler, enabling unprivileged users to perform privileged actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical services or privileged applications.

Denial Of Service Authentication Bypass
NVD
CVSS 3.1
5.6
EPSS
0.0%
CVE-2025-0917 MEDIUM This Month

IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS IBM Cognos Analytics
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-35941 MEDIUM This Month

A security vulnerability in A password (CVSS 5.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2024-8270 MEDIUM This Month

A remote code execution vulnerability in macOS Rocket.Chat application (CVSS 5.5). Remediation should follow standard vulnerability management procedures.

Apple Authentication Bypass macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-0913 MEDIUM PATCH This Month

os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

Microsoft Information Disclosure Ubuntu Debian Go +2
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-48444 MEDIUM PATCH This Month

Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

Authentication Bypass Quick Node Block Drupal
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-48013 MEDIUM PATCH This Month

Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

Authentication Bypass Quick Node Block Drupal
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-0163 MEDIUM This Month

CVE-2025-0163 is a security vulnerability (CVSS 5.3) that allows a remote attacker. Remediation should follow standard vulnerability management procedures.

Docker Information Disclosure IBM Security Verify Access Security Verify Access Docker
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-0923 MEDIUM This Month

IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 stores source code on the web server that could aid in further attacks against the system.

Information Disclosure IBM Cognos Analytics
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-4798 MEDIUM PATCH This Month

The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated attackers, with Administrator-level access and above, to download and read any file on the server, including system and configuration files.

WordPress Information Disclosure Wp Downloadmanager PHP
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-30675 MEDIUM PATCH This Month

In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain. A malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details.  This vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller's scope rather than defaulting to the ROOT domain. Affected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.

Apache Information Disclosure Cloudstack
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2025-4573 MEDIUM PATCH This Month

{remote_id}/link API when objectGUID is configured as the Group ID Attribute.

LDAP Code Injection Debian Mattermost Server Suse
NVD GitHub
CVSS 3.1
4.1
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy