Skip to main content
CVE-2025-49984 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Angelo Mandato PowerPress Podcasting allows Server Side Request Forgery. This issue affects PowerPress Podcasting: from n/a through 11.12.11.

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-49983 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Joe Hoyle WPThumb allows Server Side Request Forgery. This issue affects WPThumb: from n/a through 0.10.

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-5963 MEDIUM This Month

The Postbox's configuration on macOS, specifically the presence of entitlements: "com.apple.security.cs.allow-dyld-environment-variables" and "com.apple.security.cs.disable-library-validation" allows for Dynamic Library (Dylib) injection. A local attacker with unprivileged access can use environment variables like DYLD_INSERT_LIBRARIES to successfully inject code in application's context and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. The original company behind Postbox is no longer operational, the software will no longer receive updates. The acquiring company (em Client) did not cooperate in vulnerability disclosure.

Apple Privilege Escalation macOS
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-5255 MEDIUM This Month

The Phoenix Code's configuration on macOS, specifically the presence of entitlements: "com.apple.security.cs.allow-dyld-environment-variables" and "com.apple.security.cs.disable-library-validation" allows for Dynamic Library (Dylib) injection. A local attacker with unprivileged access can use environment variables like DYLD_INSERT_LIBRARIES to successfully inject code in application's context and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in commit 0c75fb57f89d0b7d9b180026bc2624b7dcf807da

Apple Privilege Escalation macOS
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-38083 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

Race Condition Information Disclosure Linux
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-49978 MEDIUM This Month

CVE-2025-49978 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-49969 MEDIUM This Month

Missing Authorization vulnerability in Zara 4 Zara 4 Image Compression allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zara 4 Image Compression: from n/a through 1.2.17.2.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-52719 MEDIUM This Month

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Metagauss ProfileGrid allows Retrieve Embedded Sensitive Data. This issue affects ProfileGrid : from n/a through 5.9.5.2.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-3228 MEDIUM PATCH This Month

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.

Authentication Bypass Debian Mattermost Server Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-3227 MEDIUM PATCH This Month

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.

Authentication Bypass Debian Mattermost Server Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-49982 MEDIUM This Month

A security vulnerability in Missing Authorization vulnerability in aguilatechnologies WP Customer Area (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-49976 MEDIUM This Month

Missing Authorization vulnerability in WANotifier WANotifier allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WANotifier: from n/a through 2.7.7.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-49974 MEDIUM This Month

A security vulnerability in a Project Management (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-49973 MEDIUM This Month

Missing Authorization vulnerability in GrandPlugins Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes: from n/a through 1.0.9.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-49970 MEDIUM This Month

A security vulnerability in Missing Authorization vulnerability in sparklewpthemes Hello FSE Blog (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-49981 MEDIUM This Month

A security vulnerability in Missing Authorization vulnerability in mahabub81 User Roles and Capabilities (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-49980 MEDIUM This Month

Missing Authorization vulnerability in WP Event Manager WP User Profile Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP User Profile Avatar: from n/a through 1.0.6.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-49979 MEDIUM This Month

A security vulnerability in Missing Authorization vulnerability in slui Media Hygiene (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-49971 MEDIUM This Month

CVE-2025-49971 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-52711 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in BoldGrid Post and Page Builder by BoldGrid - Visual Drag and Drop Editor allows Cross Site Request Forgery.This issue affects Post and Page Builder by BoldGrid - Visual Drag and Drop Editor: from n/a through 1.27.8.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49977 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in WP Inventory WP Inventory Manager allows Cross Site Request Forgery. This issue affects WP Inventory Manager: from n/a through 2.3.4.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49975 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Hossni Mubarak JobWP allows Cross Site Request Forgery. This issue affects JobWP: from n/a through 2.4.0.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49972 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in David Wood TM Replace Howdy allows Cross Site Request Forgery. This issue affects TM Replace Howdy: from n/a through 1.4.2.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49968 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Oganro XML Travel Portal Widget allows Cross Site Request Forgery. This issue affects XML Travel Portal Widget: from n/a through 2.0.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49967 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in marcusjansen Live Sports Streamthunder allows Cross Site Request Forgery. This issue affects Live Sports Streamthunder: from n/a through 2.1.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49966 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Oganro Oganro Travel Portal Search Widget for HotelBeds APITUDE API allows Cross Site Request Forgery. This issue affects Oganro Travel Portal Search Widget for HotelBeds APITUDE API: from n/a through 1.0.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49965 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Oganro PixelBeds Channel Manager and Hotel Booking Engine allows Cross Site Request Forgery. This issue affects PixelBeds Channel Manager and Hotel Booking Engine: from n/a through 1.0.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49964 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in indgeek ClipLink allows Cross Site Request Forgery. This issue affects ClipLink: from n/a through 1.1.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2024-7586 MEDIUM PATCH This Month

An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials.

Gitlab Information Disclosure Ubuntu Debian
NVD
CVSS 3.1
4.1
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy