Skip to main content
CVE-2025-52559 MEDIUM PATCH This Month

Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a preview of what the email weekly digest would contain. This URL, though not the digest itself, contains a cross-site scripting (XSS) vulnerability in both topic names and channel names. This issue has been fixed in Zulip Server 10.4. A workaround for this issue involves denying access to /digest/.

XSS Debian Zulip Server
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-27023 MEDIUM PATCH This Month

Lack or insufficent input validation in WebGUI CLI web in Infinera G42 version R6.1.3 allows remote authenticated users to read all OS files via crafted CLI commands. Details: The web interface based management of the Infinera G42 appliance enables the feature of executing a restricted set of commands. This feature also offers the option to execute a script-file already present on the target device. When a non-script or incorrect file is specified, the content of the file is shown along with an error message. Due to an execution of the http service with a privileged user all files on the file system can be viewed this way.

Information Disclosure G42 Firmware
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-53358 MEDIUM This Month

kotaemon is an open-source RAG-based tool for document comprehension. From versions 0.10.6 and prior, in libs/ktem/ktem/index/file/ui.py, the index_fn method accepts both URLs and local file paths without validation. The pipeline streams these paths directly and stores them, enabling attackers to traverse directories (e.g. ../../../../../.env) and exfiltrate sensitive files. This issue has been patched via commit 37cdc28, in version 0.10.7 which has not been made public at time of publication.

Path Traversal
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-27024 MEDIUM PATCH This Month

A security vulnerability in SFTP service in Infinera G42 (CVSS 6.5) that allows remote authenticated users. Remediation should follow standard vulnerability management procedures.

Information Disclosure G42 Firmware
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-52891 MEDIUM PATCH This Month

A remote code execution vulnerability in versions 2.9.8 to (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Apache Information Disclosure Nginx Ubuntu Debian +2
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-39362 MEDIUM This Month

Missing Authorization vulnerability in Mollie Mollie Payments for WooCommerce.This issue affects Mollie Payments for WooCommerce: from n/a through 8.0.2.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-45029 MEDIUM This Month

WINSTAR WN572HP3 v230525 was discovered to contain a heap overflow via the CONTENT_LENGTH variable at /cgi-bin/upload.cgi.

Heap Overflow Buffer Overflow
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-2330 MEDIUM PATCH This Month

The All-in-One Addons for Elementor - WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button+modal' widget in all versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS All In One Addons For Elementor PHP Elementor
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-24330 MEDIUM This Month

Sending a crafted SOAP "provision" operation message PlanId field within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network can cause path traversal issue in Nokia Single RAN baseband software with versions earlier than release 24R1-SR 1.0 MP. This issue has been corrected to release 24R1-SR 1.0 MP and later. Beginning with release 24R1-SR 1.0 MP, the OAM service software performed PlanId field input validations mitigate the reported path traversal issue.

Path Traversal
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-24329 MEDIUM This Month

Sending a crafted SOAP "provision" operation message archive field within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network can cause path traversal issue in Nokia Single RAN baseband software with versions earlier than release 24R1-SR 1.0 MP. This issue has been corrected to release 24R1-SR 1.0 MP and later. Beginning with release 24R1-SR 1.0 MP, the OAM service software utilizes libarchive APIs with security options enabled, effectively mitigating the reported path traversal issue.

Path Traversal
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-6687 MEDIUM This Month

The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Elementor
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-6686 MEDIUM This Month

The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Elementor
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-24333 MEDIUM This Month

Nokia Single RAN baseband software earlier than 24R1-SR 1.0 MP contains administrative shell input validation fault, which authenticated admin user can, in theory, potentially use for injecting arbitrary commands for unprivileged baseband OAM service process execution via special characters added to baseband internal COMA_config.xml file. This issue has been corrected starting from release 24R1-SR 1.0 MP and later, by adding proper input validation to OAM service process which prevents injecting special characters via baseband internal COMA_config.xml file.

Command Injection
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-24331 MEDIUM This Month

A security vulnerability in capabilities (CVSS 6.4). Remediation should follow standard vulnerability management procedures.

Privilege Escalation
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-5692 MEDIUM PATCH This Month

The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates.

PHP WordPress Authentication Bypass Lead Form Data Collection To Crm
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2024-11405 MEDIUM This Month

The WP Front-end login and register plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the email and wpmp_reset_password_token parameters in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

WordPress XSS Wp Front End Login And Register
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-20310 MEDIUM This Month

A vulnerability in the web UI of Cisco Enterprise Chat and Email (ECE) could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To successfully exploit this vulnerability, an attacker would need valid agent credentials.

XSS Cisco Enterprise Chat And Email
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-52462 MEDIUM This Month

Cross-site scripting vulnerability exists in Active! mail 6 BuildInfo: 6.30.01004145 to 6.60.06008562. If this vulnerability is exploited, an arbitrary script may be executed on the logged-in user's web browser when the user is accessing a specially crafted URL.

XSS
NVD
CVSS 3.0
6.1
EPSS
0.0%
CVE-2025-20308 MEDIUM This Month

A vulnerability in Cisco Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. This vulnerability is due to insufficient restrictions during the execution of specific CLI commands. An attacker could exploit this vulnerability by logging in to the Cisco Spaces Connector CLI as the spacesadmin user and executing a specific command with crafted parameters. A successful exploit could allow the attacker to elevate privileges from the spacesadmin user and execute arbitrary commands on the underlying operating system as root.

Cisco Command Injection Spaces Connector
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-34075 MEDIUM PATCH This Month

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Rated medium severity (CVSS 5.4), this vulnerability is low attack complexity. No vendor patch available.

RCE Ubuntu Suse
NVD GitHub
CVSS 4.0
5.4
EPSS
2.0%
CVE-2025-38093 MEDIUM PATCH This Month

CVE-2025-38093 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Information Disclosure Ubuntu Debian Linux Kernel +2
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-38092 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ksmbd: use list_first_entry_or_null for opinfo_get_list() The list_first_entry() macro never returns NULL. If the list is empty then it returns an invalid pointer. Use list_first_entry_or_null() to check if the list is empty.

Linux Null Pointer Dereference Denial Of Service Ubuntu Debian +3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-6017 MEDIUM This Month

A security vulnerability in Red Hat Advanced Cluster Management (CVSS 5.5) that allows an unprivileged user. Remediation should follow standard vulnerability management procedures.

Information Disclosure Red Hat Advanced Cluster Management For Kubernetes
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-6725 MEDIUM This Month

In the PdfViewer component, a Cross-Site Scripting (XSS) vulnerability is possible if a specially-crafted document has already been loaded and the user engages with a tool that requires the DOM to be re-rendered.

XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-46647 MEDIUM PATCH This Month

CVE-2025-46647 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Apache Information Disclosure Apisix
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2024-13451 MEDIUM PATCH This Month

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.17.4 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form. The vulnerability was partially patched in version 2.17.5.

WordPress Information Disclosure Bit Form
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-53108 MEDIUM PATCH This Month

A security vulnerability in HomeBox (CVSS 5.3) that allows authenticated users. Remediation should follow standard vulnerability management procedures.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-52925 MEDIUM PATCH This Month

A security vulnerability in One Identity OneLogin Active Directory Connector (CVSS 5.0). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-27026 MEDIUM PATCH This Month

A security vulnerability in the WebGUI for CLI deactivation in Infinera G42 (CVSS 4.9) that allows an authenticated administrator. Remediation should follow standard vulnerability management procedures.

Information Disclosure G42 Firmware
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-20307 MEDIUM This Month

A vulnerability in the web-based management interface of Cisco BroadWorks CommPilot Application Software could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.

XSS Cisco Broadworks Application Delivery Platform
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-24328 MEDIUM This Month

Sending a crafted SOAP "set" operation message within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network can cause Nokia Single RAN baseband OAM service component restart with software versions earlier than release 24R1-SR 1.0 MP. This issue has been corrected to release 24R1-SR 1.0 MP and later. The OAM service component restarts automatically after the stack overflow without causing a base station restart or network service degradation, and without leaving any permanent impact on the Nokia Single RAN baseband OAM service.

Buffer Overflow Stack Overflow
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2025-6943 LOW Monitor

Secret Server version 11.7 and earlier is vulnerable to a SQL report creation vulnerability that allows an administrator to gain access to restricted tables.

Privilege Escalation
NVD
CVSS 3.1
3.8
EPSS
0.0%
CVE-2025-6942 LOW PATCH Monitor

CVE-2025-6942 is a security vulnerability (CVSS 3.8) that allows an attacker. Remediation should follow standard vulnerability management procedures.

Authentication Bypass
NVD
CVSS 3.1
3.8
EPSS
0.0%
CVE-2025-4654 LOW Monitor

A security vulnerability in Soumettre.fr (CVSS 3.7). Remediation should follow standard vulnerability management procedures.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
3.7
EPSS
0.1%
CVE-2025-53492 LOW PATCH Monitor

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - MintyDocs Extension allows Stored XSS.This issue affects Mediawiki - MintyDocs Extension: from 1.43.X before 1.43.2.

XSS
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-24334 LOW Monitor

CVE-2025-24334 is a security vulnerability (CVSS 3.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-52463 LOW Monitor

Cross-site request forgery vulnerability exists in Active! mail 6 BuildInfo: 6.60.06008562 and earlier. If this vulnerability is exploited, unintended E-mail may be sent when a user accesses a specially crafted URL while being logged in.

CSRF
NVD
CVSS 3.0
3.1
EPSS
0.0%
CVE-2025-24335 LOW Monitor

Nokia Single RAN baseband software versions earlier than 24R1-SR 2.1 MP contain a SOAP message input validation flaw, which in theory could potentially be used for causing resource exhaustion in the Single RAN baseband OAM service. No practical exploit has been detected for this flaw. However, the issue has been corrected starting from release 24R1-SR 2.1 MP by adding sufficient input validation for received SOAP requests, effectively mitigating the reported issue.

Denial Of Service
NVD
CVSS 3.1
2.0
EPSS
0.0%
CVE-2025-53109 PATCH Monitor

Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). Versions of Filesystem prior to 0.6.4 or 2025.7.01 could allow access to unintended files via symlinks within allowed directories. Users are advised to upgrade to 0.6.4 or 2025.7.01 resolve.

Information Disclosure
NVD GitHub
EPSS
0.2%
CVE-2025-53110 PATCH Monitor

Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). Versions of Filesystem prior to 0.6.4 or 2025.7.01 could allow access to unintended files in cases where the prefix matches an allowed directory. Users are advised to upgrade to 0.6.4 or 2025.7.01 resolve.

Path Traversal
NVD GitHub
EPSS
0.1%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy