Skip to main content
CVE-2024-40570 MEDIUM POC This Month

SQL Injection vulnerability in SeaCMS v.12.9 allows a remote attacker to obtain sensitive information via the admin_datarelate.php component.

PHP SQLi Seacms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-6152 MEDIUM POC PATCH This Month

A vulnerability, which was classified as critical, was found in Steel Browser up to 0.1.3. This affects the function handleFileUpload of the file api/src/modules/files/files.routes.ts. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The patch is named 7ba93a10000fb77ee01731478ef40551a27bd5b9. It is recommended to apply a patch to fix this issue.

Path Traversal Browser
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2025-49149 MEDIUM POC This Month

Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. Attackers can use website vulnerabilities to inject malicious script code into web pages. This may result in a cross-site scripting (XSS) attack when a user browses these web pages. At time of posting, there is no known patched version.

XSS Dify
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-6161 MEDIUM POC This Month

A remote code execution vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP File Upload Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6160 MEDIUM POC This Month

A critical SQL injection vulnerability exists in SourceCodester Client Database Management System version 1.0 affecting the /user_customer_create_order.php file, where the user_id parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public disclosure and proof-of-concept availability elevate exploitation risk, though the CVSS 7.3 rating indicates moderate real-world impact rather than critical severity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6159 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects Hostel Management System version 1.0, specifically in the /allocate_room.php file's 'search_box' parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, and system disruption. The vulnerability has been publicly disclosed with proof-of-concept code available, making it actively exploitable in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6157 MEDIUM POC This Month

Critical SQL injection vulnerability in PHPGurukul Nipah Virus Testing Management System version 1.0, located in the /registered-user-testing.php file where the 'testtype' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk in production environments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6155 MEDIUM POC This Month

Critical SQL injection vulnerability in PHPGurukul Hostel Management System 1.0 affecting the login functionality (/includes/login-hm.inc.php). An unauthenticated attacker can manipulate the Username parameter to execute arbitrary SQL queries remotely, potentially compromising data confidentiality, integrity, and availability. Public exploit disclosure and active exploitation potential significantly elevate real-world risk despite a moderate CVSS score of 7.3.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6154 MEDIUM POC This Month

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6153 MEDIUM POC This Month

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6167 MEDIUM POC PATCH This Month

A vulnerability classified as critical has been found in themanojdesai python-a2a up to 0.5.5. Affected is the function create_workflow of the file python_a2a/agent_flow/server/api.py. The manipulation leads to path traversal. Upgrading to version 0.5.6 is able to address this issue. It is recommended to upgrade the affected component.

Python Path Traversal Python A2a
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-6196 MEDIUM POC PATCH This Month

A flaw was found in libgepub, a library used to read EPUB files. The software mishandles file size calculations when opening specially crafted EPUB files, leading to incorrect memory allocations. This issue causes the application to crash. Known affected usage includes desktop services like Tumbler, which may process malicious files automatically when browsing directories. While no direct remote attack vectors are confirmed, any application using libgepub to parse user-supplied EPUB content could be vulnerable to a denial of service.

Denial Of Service Integer Overflow Ubuntu Debian Libgepub +2
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-5209 MEDIUM POC PATCH This Month

The Ivory Search WordPress plugin before 5.5.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

WordPress XSS Ivory Search PHP
NVD WPScan
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-6050 MEDIUM POC PATCH This Month

Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting (XSS) vulnerability in the admin interface. The vulnerability exists in the "displayable_links_js" function, which fails to properly sanitize blog post titles before including them in JSON responses served via "/admin/displayable_links.js". An authenticated admin user can create a blog post with a malicious JavaScript payload in the title field, then trick another admin user into clicking a direct link to the "/admin/displayable_links.js" endpoint, causing the malicious script to execute in their browser.

XSS Mezzanine
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-49593 MEDIUM PATCH This Month

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. Prior to STS version 2.31.0 and LTS version 2.27.7, if a Portainer administrator can be convinced to register a malicious container registry, or an existing container registry can be taken over, HTTP Headers (including registry authentication credentials or Portainer session tokens) may be leaked to that registry. This issue has been patched in STS version 2.31.0 and LTS version 2.27.7.

Information Disclosure Kubernetes Docker
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-49487 MEDIUM PATCH This Month

An uncontrolled search path vulnerability in the Trend Micro Worry-Free Business Security Services (WFBSS) agent could have allowed an attacker with physical access to a machine to execute arbitrary code on affected installations. An attacker must have had physical access to the target system in order to exploit this vulnerability due to need to access a certain hardware component. Also note: this vulnerability only affected the SaaS client version of WFBSS only, meaning the on-premise version of Worry-Free Business Security was not affected, and this issue was addressed in a previous WFBSS monthly maintenance update. Therefore no other customer action is required to mitigate if the WFBSS agents are on the regular SaaS maintenance deployment schedule and this disclosure is for informational purposes only.

RCE Worry Free Business Security Services
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-48443 MEDIUM PATCH This Month

Trend Micro Password Manager (Consumer) version 5.0.0.1266 and below is vulnerable to a Link Following Local Privilege Escalation Vulnerability that could allow a local attacker to leverage this vulnerability to delete files in the context of an administrator when the administrator installs Trend Micro Password Manager.

Privilege Escalation Password Manager
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-49158 MEDIUM PATCH This Month

An uncontrolled search path vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalation privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Privilege Escalation Apex One
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-49234 MEDIUM This Month

Missing Authorization vulnerability in Deepak anand WP Dummy Content Generator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Dummy Content Generator: from n/a through 3.4.6.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-30679 MEDIUM PATCH This Month

A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modOSCE component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations.

Information Disclosure SSRF Apex Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-30678 MEDIUM PATCH This Month

A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modTMSM component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations.

Information Disclosure SSRF Apex Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-5673 MEDIUM This Month

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the ‘prgSortPostType’ parameter in all versions up to, and including, 8.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

WordPress SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49882 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emraan Cheema CubeWP Framework allows DOM-Based XSS. This issue affects CubeWP Framework: from n/a through 1.1.23.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49881 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Blocks allows Stored XSS. This issue affects Responsive Blocks: from n/a through 2.0.5.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49878 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Greg Winiarski WPAdverts allows DOM-Based XSS. This issue affects WPAdverts: from n/a through 2.2.4.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49875 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IfSo Dynamic Content If-So Dynamic Content Personalization allows Stored XSS. This issue affects If-So Dynamic Content Personalization: from n/a through 1.9.3.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49863 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Codeus Advanced Sermons allows Stored XSS. This issue affects Advanced Sermons: from n/a through 3.6.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49861 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timur Kamaev Kama Click Counter allows Stored XSS. This issue affects Kama Click Counter: from n/a through 4.0.3.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49859 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in etruel WP Views Counter allows Stored XSS. This issue affects WP Views Counter: from n/a through 2.0.3.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49858 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tychesoftwares Arconix Shortcodes allows Stored XSS. This issue affects Arconix Shortcodes: from n/a through 2.1.17.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49855 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Meks Meks Flexible Shortcodes allows DOM-Based XSS. This issue affects Meks Flexible Shortcodes: from n/a through 1.3.7.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-5700 MEDIUM This Month

The Simple Logo Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD GitHub
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-5291 MEDIUM PATCH This Month

The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's masterslider_pb and ms_slide shortcodes in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Master Slider PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-4775 MEDIUM This Month

The WordPress Infinite Scroll - Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-button-label HTML attribute in all versions up to, and including, 7.4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-34508 MEDIUM PATCH This Month

A path traversal vulnerability exists in the file dropoff functionality of ZendTo versions 6.15-7 and prior. This could allow a remote, authenticated attacker to retrieve the files of other ZendTo users, retrieve files on the host system, or cause a denial of service.

Denial Of Service Path Traversal
NVD
CVSS 3.1
6.3
EPSS
0.3%
CVE-2025-49175 MEDIUM PATCH This Month

A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash.

Buffer Overflow Information Disclosure
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-45880 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in the data resource management function of Miliaris Amigdala v2.2.6 allows attackers to execute arbitrary HTML in the context of a user's browser via a crafted payload.

XSS Amygdala
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-45878 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in the report manager function of Miliaris Amigdala v2.2.6 allows attackers to execute arbitrary HTML in the context of a user's browser via a crafted payload.

XSS Amygdala
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-45879 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in the e-mail manager function of Miliaris Amigdala v2.2.6 allows attackers to execute arbitrary HTML in the context of a user's browser via a crafted payload.

XSS Amygdala
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-48993 MEDIUM PATCH This Month

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27.

Microsoft XSS Group Office
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-49177 MEDIUM PATCH This Month

A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.

Information Disclosure
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-49871 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Mutende Noptin allows Stored XSS. This issue affects Noptin: from n/a through 3.8.7.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-49862 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in motov.net Ebook Store allows Stored XSS. This issue affects Ebook Store: from n/a through 5.8008.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-49178 MEDIUM PATCH This Month

A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service.

Denial Of Service
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-30642 MEDIUM PATCH This Month

A link following vulnerability in Trend Micro Deep Security 20.0 agents could allow a local attacker to create a denial of service (DoS) situation on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Denial Of Service Deep Security Agent
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-5141 MEDIUM This Month

CVE-2025-5141 is a security vulnerability (CVSS 5.5) that allows low privilege local users. Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-49872 MEDIUM This Month

Missing Authorization vulnerability in WPExperts.io myCred allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects myCred: from n/a through 2.9.4.2.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-49864 MEDIUM This Month

Missing Authorization vulnerability in AFS Analytics AFS Analytics allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects AFS Analytics: from n/a through 4.21.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-40674 MEDIUM This Month

Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

XSS
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-49877 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Metagauss ProfileGrid allows Server Side Request Forgery. This issue affects ProfileGrid : from n/a through 5.9.5.2.

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy