THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — August 15, 2025

103 CVEs tracked today. 6 Critical, 23 High, 58 Medium, 5 Low.

CVE-2025-54466 CRITICAL CVSS 9.8
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.09.02 only when the scrum plugin is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Code Injection Apache Ofbiz
CVE-2025-9060 CRITICAL CVSS 9.1
A vulnerability has been found in the MSoft MFlash application that allows execution of arbitrary code on the server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE
CVE-2025-8995 CRITICAL CVSS 9.8
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.0.0 before 2.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Authenticator Login Drupal
CVE-2025-6679 CRITICAL CVSS 9.8
The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload PHP
CVE-2025-54473 CRITICAL CVSS 9.2
An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Joomla
CVE-2025-7778 CRITICAL CVSS 9.8
The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress PHP RCE
CVE-2025-54475 HIGH CVSS 8.7
A SQL injection vulnerability in the JS Jobs plugin versions 1.3.2-1.4.4 for Joomla allows low-privilege users to execute arbitrary SQL commands. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Joomla
CVE-2025-54474 HIGH CVSS 8.5
A SQLi vulnerability in DJ-Classifieds component 3.9.2-3.10.1 for Joomla was discovered. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Joomla
CVE-2025-49897 HIGH CVSS 8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection.1. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-43490 HIGH CVSS 8.4
A potential security vulnerability has been identified in the HPAudioAnalytics service included in the HP Hotkey Support software, which might allow escalation of privilege. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Hp Privilege Escalation
CVE-2025-24975 HIGH CVSS 7.1
Firebird is a relational database. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Firebird Suse
CVE-2025-9046 HIGH CVSS 7.4
A vulnerability was identified in Tenda AC20 16.03.08.12. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tenda Ac20 Firmware
CVE-2025-9023 HIGH CVSS 7.4
A vulnerability has been found in Tenda AC7 and AC18 15.03.05.19/15.03.06.44. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tenda Ac7 Firmware Ac18 Firmware
CVE-2025-9016 HIGH CVSS 7.3
A vulnerability was identified in Mechrevo Control Center GX V2 5.56.51.48. Rated high severity (CVSS 7.3). No vendor patch available.

Information Disclosure Control Center Gx V2
CVE-2025-9007 HIGH CVSS 7.4
A vulnerability has been found in Tenda CH22 1.0.0.1. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tenda Ch22 Firmware
CVE-2025-9006 HIGH CVSS 7.4
A vulnerability was identified in Tenda CH22 1.0.0.1. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tenda Ch22 Firmware
CVE-2025-9000 HIGH CVSS 7.3
A vulnerability was found in Mechrevo Control Center GX V2 5.56.51.48. Rated high severity (CVSS 7.3). No vendor patch available.

Information Disclosure Control Center Gx V2
CVE-2025-8959 HIGH CVSS 7.5
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp Go Getter Redhat Suse
CVE-2025-8675 HIGH CVSS 8.8
Server-Side Request Forgery (SSRF) vulnerability in Drupal AI SEO Link Advisor allows Server Side Request Forgery.0.0 before 1.0.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Ai Seo Link Advisor Drupal
CVE-2025-8361 HIGH CVSS 7.6
Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.0.0 before 2.18.0. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Config Pages Drupal
CVE-2025-8342 HIGH CVSS 8.1
The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass WordPress PHP
CVE-2025-8092 HIGH CVSS 7.6
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).0.0 before 1.2.16. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Cookies Consent Management Drupal
CVE-2025-7650 HIGH CVSS 7.5
The BizCalendar Web plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.0.50 via the 'bizcalv' shortcode. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

WordPress Lfi PHP RCE Information Disclosure
CVE-2025-7641 HIGH CVSS 7.5
The Assistant for NextGEN Gallery plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the /wp-json/nextgenassistant/v1.0.0/control REST. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Path Traversal PHP
CVE-2025-6025 HIGH CVSS 7.5
The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress PHP
CVE-2025-5048 HIGH CVSS 7.8
A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force a Memory Corruption vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Advance Steel Autocad Autocad Architecture
CVE-2025-5047 HIGH CVSS 7.8
A maliciously crafted DGN file, when parsed through Autodesk AutoCAD, can force an Uninitialized Variable vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Information Disclosure Advance Steel Autocad Autocad Architecture
CVE-2025-5046 HIGH CVSS 7.8
A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Information Disclosure Advance Steel Autocad
CVE-2025-1929 HIGH CVSS 7.2
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Risk Yazılım Teknolojileri Ltd. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-55207 MEDIUM CVSS 5.5
Astro is a web framework for content-driven websites. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect
CVE-2025-55203 MEDIUM CVSS 5.4
Plane is open-source project management software. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-54989 MEDIUM CVSS 5.3
Firebird is a relational database. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Firebird Suse
CVE-2025-52621 MEDIUM CVSS 5.3
HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bigfix Saas
CVE-2025-52620 MEDIUM CVSS 4.3
HCL BigFix SaaS Authentication Service is affected by a Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Bigfix Saas
CVE-2025-52619 MEDIUM CVSS 5.3
HCL BigFix SaaS Authentication Service is affected by a sensitive information disclosure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bigfix Saas
CVE-2025-52618 MEDIUM CVSS 4.3
HCL BigFix SaaS Authentication Service is affected by a SQL injection vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Bigfix Saas
CVE-2025-49898 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.0.14. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-49432 MEDIUM CVSS 5.3
Missing Authorization vulnerability in FWDesign Ultimate Video Player allows Exploiting Incorrectly Configured Access Control Security Levels.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-43201 MEDIUM CVSS 6.2
This issue was addressed with improved checks. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Google Apple Information Disclosure Music Classical Android
CVE-2025-36088 MEDIUM CVSS 5.4
IBM TS4500 1.11.0.0-D00, 1.11.0.1-C00, 1.11.0.2-C00, and 1.10.00-F00 web GUI is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XSS Storage Ts4500 Library Firmware Diamondback Tape Library Firmware
CVE-2025-26709 MEDIUM CVSS 5.7
There is an unauthorized access vulnerability in ZTE F50. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Zte Information Disclosure
CVE-2025-9053 MEDIUM CVSS 6.9
A vulnerability has been found in projectworlds Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Travel Management System
CVE-2025-9052 MEDIUM CVSS 6.9
A vulnerability was identified in projectworlds Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Travel Management System
CVE-2025-9051 MEDIUM CVSS 6.9
A vulnerability was determined in projectworlds Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Travel Management System
CVE-2025-9050 MEDIUM CVSS 6.9
A vulnerability was found in projectworlds Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Travel Management System
CVE-2025-9047 MEDIUM CVSS 6.9
A vulnerability has been found in projectworlds Visitor Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Visitor Management System
CVE-2025-9028 MEDIUM CVSS 6.9
A flaw has been found in code-projects Online Medicine Guide 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Medicine Guide
CVE-2025-9027 MEDIUM CVSS 6.9
A vulnerability has been found in code-projects Online Medicine Guide 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Medicine Guide
CVE-2025-9026 MEDIUM CVSS 6.9
A vulnerability was identified in D-Link DIR-860L 2.04.B04. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection D-Link Dir 860L Firmware
CVE-2025-9025 MEDIUM CVSS 5.3
A vulnerability was determined in code-projects Simple Cafe Ordering System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Simple Cafe Ordering System
CVE-2025-9024 MEDIUM CVSS 6.9
A vulnerability was found in PHPGurukul Beauty Parlour Management System 1.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Beauty Parlour Management System
CVE-2025-9022 MEDIUM CVSS 6.9
A vulnerability was identified in SourceCodester Online Bank Management System up to 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Online Bank Management System
CVE-2025-9021 MEDIUM CVSS 6.9
A vulnerability was determined in SourceCodester Online Bank Management System up to 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Online Bank Management System
CVE-2025-9017 MEDIUM CVSS 5.3
A vulnerability has been found in PHPGurukul Zoo Management System 2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Zoo Management System
CVE-2025-9013 MEDIUM CVSS 6.9
A vulnerability has been found in PHPGurukul Online Shopping Portal Project 2.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Online Shopping Portal Project
CVE-2025-9012 MEDIUM CVSS 6.9
A vulnerability was identified in PHPGurukul Online Shopping Portal Project 2.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Online Shopping Portal Project
CVE-2025-9011 MEDIUM CVSS 6.9
A vulnerability was determined in PHPGurukul Online Shopping Portal Project 2.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Online Shopping Portal Project
CVE-2025-9010 MEDIUM CVSS 6.9
A vulnerability was found in itsourcecode Online Tour and Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Tour Travel Management System
CVE-2025-9009 MEDIUM CVSS 6.9
A vulnerability has been found in itsourcecode Online Tour and Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Tour Travel Management System
CVE-2025-9008 MEDIUM CVSS 6.9
A vulnerability was identified in itsourcecode Online Tour and Travel Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Tour Travel Management System
CVE-2025-9005 MEDIUM CVSS 6.3
A vulnerability was determined in mtons mblog up to 3.5.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Mblog
CVE-2025-9004 MEDIUM CVSS 6.3
A vulnerability was found in mtons mblog up to 3.5.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Mblog
CVE-2025-9003 MEDIUM CVSS 5.1
A vulnerability has been found in D-Link DIR-818LW 1.04. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP D-Link XSS Dir 818lw Firmware
CVE-2025-9002 MEDIUM CVSS 6.9
A vulnerability was identified in Surbowl dormitory-management-php 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Dormitory Management Php
CVE-2025-9001 MEDIUM CVSS 5.5
A vulnerability was determined in LemonOS up to nightly-2024-07-12 on LemonOS. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Lemonos
CVE-2025-8996 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.0.0 before 2.2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Layout Builder Advanced Permissions Drupal
CVE-2025-8993 MEDIUM CVSS 6.9
A vulnerability was found in itsourcecode Online Tour and Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Tour Travel Management System
CVE-2025-8992 MEDIUM CVSS 5.3
A vulnerability has been found in mtons mblog up to 3.5.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Mblog
CVE-2025-8991 MEDIUM CVSS 5.3
A vulnerability was identified in linlinjava litemall up to 1.8.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Litemall
CVE-2025-8990 MEDIUM CVSS 6.9
A vulnerability was determined in code-projects Online Medicine Guide 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Medicine Guide
CVE-2025-8989 MEDIUM CVSS 6.9
A vulnerability was found in SourceCodester COVID 19 Testing Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Covid19 Testing Management System
CVE-2025-8905 MEDIUM CVSS 6.3
The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection PHP
CVE-2025-8867 MEDIUM CVSS 6.4
The Graphina - Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple chart widget parameters in version 3.1.3 and below. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-8720 MEDIUM CVSS 6.4
The Plugin README Parser plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘target’ parameter in all versions up to, and including, 1.3.15 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-8680 MEDIUM CVSS 4.3
The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Server-Side Request Forgery in version less than, or equal to, 2.0.0 via the fs_api_request function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SSRF PHP
CVE-2025-8676 MEDIUM CVSS 4.3
The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in versions less than, or equal to, 2.0.0 via the get_active_plugins function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure PHP
CVE-2025-8604 MEDIUM CVSS 6.4
The WP Table Builder - WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wptb shortcode in all versions up to, and including, 2.0.12 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-8451 MEDIUM CVSS 6.4
The Essential Addons for Elementor - Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘data-gallery-items’ parameter in all. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-8362 MEDIUM CVSS 6.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting (XSS).0.0 before 1.10.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Googletag Manager Drupal
CVE-2025-8091 MEDIUM CVSS 4.3
The EventON Lite plugin for WordPress is vulnerable to Information Exposure in all versions less than, or equal to, 2.4.6 via the add_single_eventon and add_eventon shortcodes due to insufficient. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure
CVE-2025-8080 MEDIUM CVSS 4.4
The Alobaidi Captcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

WordPress XSS PHP
CVE-2025-8066 MEDIUM CVSS 4.8
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Bunkerity Bunker Web on Linux allows Phishing.6.2. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Open Redirect
CVE-2025-7961 MEDIUM CVSS 6.9
Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.6.0. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.

RCE Apple Code Injection macOS
CVE-2025-7688 MEDIUM CVSS 6.1
The Add User Meta plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
CVE-2025-7662 MEDIUM CVSS 6.5
The Gestion de tarifs plugin for WordPress is vulnerable to SQL Injection via the 'tarif' and 'intitule' shortcodes in all versions up to, and including, 1.4 due to insufficient escaping on the user. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
CVE-2025-7507 MEDIUM CVSS 6.4
The elink - Embed Content plugin for WordPress is vulnerable to Malicious Redirect in all versions up to, and including, 1.1.0. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure PHP
CVE-2025-5844 MEDIUM CVSS 6.4
The Radius Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subHeadingTagName’ parameter in all versions up to, and including, 2.2.1 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-55726 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55725 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55724 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55723 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55722 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55721 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55720 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55719 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55718 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55285 LOW CVSS 2.6
@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure
CVE-2025-44201 None
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.

Information Disclosure
CVE-2025-31961 LOW CVSS 3.7
HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Connections
CVE-2025-9020 LOW CVSS 2.0
A vulnerability was found in PX4 PX4-Autopilot up to 1.15.4.cpp of the component Mavlink Shell Closing Handler. Rated low severity (CVSS 2.0). No vendor patch available.

Denial Of Service Buffer Overflow
CVE-2025-9019 LOW CVSS 2.3
A vulnerability has been found in tcpreplay 4.5.1. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow Tcpreplay
CVE-2025-8013 LOW CVSS 3.8
The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SSRF PHP
CVE-2024-12573 None
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.

Information Disclosure

Today's Vulnerabilities Vulnerabilities