Skip to main content
CVE-2025-45737 MEDIUM POC This Month

An issue in NetEase (Hangzhou) Network Co., Ltd NeacSafe64 Driver before v1.0.0.8 allows attackers to escalate privileges via sending crafted IOCTL commands to the NeacSafe64.sys component.

Privilege Escalation Neacsafe64
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-44559 MEDIUM POC This Month

An issue in the Bluetooth Low Energy (BLE) stack of Realtek RTL8762E BLE SDK v1.4.0 allows attackers within Bluetooth range to cause a Denial of Service (DoS) via sending a specific sequence of crafted control packets.

Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-45729 MEDIUM POC This Month

D-Link DIR-823-Pro 1.02 has improper permission control, allowing unauthorized users to turn on and access Telnet services.

Authentication Bypass Dir 823 Pro Firmware D-Link
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2025-44163 MEDIUM POC PATCH This Month

RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse of the `tee` command used in shell execution.

PHP Path Traversal Raspap Webgui
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-6776 MEDIUM POC PATCH This Month

A vulnerability classified as critical was found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This vulnerability affects the function Upload of the file app/plugins/oss/app/controller.py of the component File Upload. The manipulation of the argument image leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The name of the patch is e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component.

File Upload Python Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2025-6772 MEDIUM POC This Month

A vulnerability was found in eosphoros-ai db-gpt up to 0.7.2. It has been classified as critical. Affected is the function import_flow of the file /api/v2/serve/awel/flow/import. The manipulation of the argument File leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2025-6777 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in code-projects Food Distributor Site 1.0. This issue affects some unknown processing of the file /admin/process_login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5093 MEDIUM POC PATCH This Month

The Responsive Lightbox & Gallery WordPress plugin before 2.5.2 use the Swipebox library which does not validate and escape title attributes before outputting them back in a page/post where used, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

WordPress XSS Responsive Lightbox PHP
NVD WPScan
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-5035 MEDIUM POC PATCH This Month

The Firelight Lightbox WordPress plugin before 2.3.16 does not sanitise and escape title attributes before outputting them in the page, which could allow users with a role as low as contributors to perform stored Cross-Site Scripting attacks.

WordPress XSS Firelight Lightbox PHP
NVD WPScan
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-5194 MEDIUM POC PATCH This Month

The WP Map Block WordPress plugin before 2.0.3 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

WordPress XSS Wp Map Block PHP
NVD WPScan
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-5526 MEDIUM POC PATCH This Month

A security vulnerability in BuddyPress Docs WordPress (CVSS 4.3) that allows a logged. Risk factors: public PoC available.

WordPress Information Disclosure Buddypress Docs PHP
NVD WPScan
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-40910 MEDIUM This Month

CVE-2025-40910 is a security vulnerability (CVSS 6.5) that allows attackers. Remediation should follow standard vulnerability management procedures.

Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-53284 MEDIUM This Month

A security vulnerability in pankaj (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-53336 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in abditsori My Resume Builder allows Stored XSS. This issue affects My Resume Builder: from n/a through 1.0.3.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53321 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raise The Money Raise The Money allows DOM-Based XSS. This issue affects Raise The Money: from n/a through 5.2.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53320 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wp Enhanced Free Downloads EDD allows DOM-Based XSS. This issue affects Free Downloads EDD: from n/a through 1.0.4.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53301 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Junkie Theme Junkie Team Content allows DOM-Based XSS. This issue affects Theme Junkie Team Content: from n/a through 0.1.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53300 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in douglaskarr Podcast Feed Player Widget and Shortcode allows Stored XSS. This issue affects Podcast Feed Player Widget and Shortcode: from n/a through 2.2.0.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53294 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Smart Agenda Smart Agenda allows Stored XSS. This issue affects Smart Agenda: from n/a through 4.9.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53292 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in samsk WP DataTable allows DOM-Based XSS. This issue affects WP DataTable: from n/a through 0.2.7.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53290 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MS WP Visual Sitemap allows Stored XSS. This issue affects WP Visual Sitemap: from n/a through 1.0.2.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53282 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aviplugins.com Thumbnail Editor allows Stored XSS. This issue affects Thumbnail Editor: from n/a through 2.3.3.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53280 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AntoineH Football Pool allows Stored XSS. This issue affects Football Pool: from n/a through 2.12.5.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53279 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman Popup addon for Ninja Forms allows DOM-Based XSS. This issue affects Popup addon for Ninja Forms: from n/a through 3.4.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53278 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPeka WP AdCenter allows Stored XSS. This issue affects WP AdCenter: from n/a through 2.6.0.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53276 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in omnipressteam Omnipress allows DOM-Based XSS. This issue affects Omnipress: from n/a through 1.6.3.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53275 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VaultDweller Leyka allows DOM-Based XSS. This issue affects Leyka: from n/a through 3.31.9.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53206 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Mega - Absolute Addons for WPBakery Page Builder allows Stored XSS. This issue affects HT Mega - Absolute Addons for WPBakery Page Builder: from n/a through 1.0.8.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53202 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Blocks allows DOM-Based XSS. This issue affects Responsive Blocks: from n/a through 2.0.6.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53199 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Slider For Elementor allows DOM-Based XSS. This issue affects HT Slider For Elementor: from n/a through 1.6.5.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-50370 MEDIUM This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Inquiry Management functionality /mcgs/admin/readenq.php of the Phpgurukul Medical Card Generation System 1.0. The vulnerable endpoint allows an authenticated admin to delete inquiry records via a simple GET request, without requiring a CSRF token or validating the origin of the request.

PHP CSRF Medical Card Generation System
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-50369 MEDIUM This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Manage Card functionality (/mcgs/admin/manage-card.php) of PHPGurukul Medical Card Generation System 1.0. The vulnerable endpoint allows an authorized admin to delete medical card records by sending a simple GET request without verifying the origin of the request.

PHP CSRF Medical Card Generation System
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-6550 MEDIUM This Month

The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slider_options’ parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS The Pack Elementor Addons PHP Elementor
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-4587 MEDIUM This Month

The A/B Testing for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ab-testing-for-wp/ab-test-block' block in all versions up to, and including, 1.18.2 due to insufficient input sanitization and output escaping on the 'id' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-6488 MEDIUM This Month

The isMobile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ parameter in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-5940 MEDIUM This Month

The Osom Blocks - Custom Post Type listing block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-5398 MEDIUM PATCH This Month

The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of a templating engine in all versions up to, and including, 3.10.2.1 due to insufficient output escaping on user data passed through the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Ninja Forms PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-6689 MEDIUM This Month

The FL3R Accessibility Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fl3raccessibilitysuite shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Fl3r Accessibility Suite PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-47822 MEDIUM This Month

CVE-2025-47822 is a security vulnerability (CVSS 6.4). Remediation should follow standard vulnerability management procedures.

Information Disclosure License Plate Reader Firmware
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-47819 MEDIUM PATCH This Month

CVE-2025-47819 is a security vulnerability (CVSS 6.4). Remediation should follow standard vulnerability management procedures.

Information Disclosure Gunshot Detection Firmware
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2024-36347 MEDIUM PATCH This Month

Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious microcode, potentially resulting in loss of integrity of x86 instruction execution, loss of confidentiality and integrity of data in x86 CPU privileged context and compromise of SMM execution environment.

Information Disclosure Red Hat Suse
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-50367 MEDIUM This Month

A stored blind XSS vulnerability exists in the Contact Page of the Phpgurukul Medical Card Generation System 1.0 mcgs/contact.php. The name field fails to properly sanitize user input, allowing an attacker to inject malicious JavaScript.

PHP XSS Medical Card Generation System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-53097 MEDIUM PATCH This Month

A security vulnerability in Roo Code (CVSS 5.9). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Roo Code
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-53325 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dilip kumar Beauty Contact Popup Form allows Stored XSS. This issue affects Beauty Contact Popup Form: from n/a through 6.0.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-53296 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ecoal95 EC Stars Rating allows Stored XSS. This issue affects EC Stars Rating: from n/a through 1.0.11.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-53287 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robert Cummings Quick Favicon allows Stored XSS. This issue affects Quick Favicon: from n/a through 0.22.8.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-53285 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Website Flip Add & Replace Affiliate Links for Amazon allows Stored XSS. This issue affects Add & Replace Affiliate Links for Amazon: from n/a through 1.0.6.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-53253 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Josh WP Edit allows Stored XSS. This issue affects WP Edit: from n/a through 4.0.4.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-52993 MEDIUM PATCH This Month

A race condition in the Nix, Lix, and Guix package managers enables changing the ownership of arbitrary files to the UID and GID of the build user (e.g., nixbld* or guixbuild*). This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.

Race Condition Information Disclosure Ubuntu Debian Suse
NVD
CVSS 3.1
5.6
EPSS
0.0%
CVE-2025-6761 MEDIUM This Month

A security vulnerability in A vulnerability (CVSS 7.3). High severity vulnerability requiring prompt remediation.

Information Disclosure
NVD VulDB
CVSS 4.0
5.5
EPSS
0.1%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy