THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — August 15, 2025

103 CVEs tracked today. 6 Critical, 22 High, 52 Medium, 12 Low.

CVE-2025-54466 CRITICAL CVSS 9.8
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.09.02 only when the scrum plugin is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Apache Code Injection Ofbiz
CVE-2025-9060 CRITICAL CVSS 9.1
A vulnerability has been found in the MSoft MFlash application that allows execution of arbitrary code on the server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE
CVE-2025-8995 CRITICAL CVSS 9.8
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.0.0 before 2.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Drupal Authenticator Login
CVE-2025-6679 CRITICAL CVSS 9.8
The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP WordPress RCE File Upload
CVE-2025-54473 CRITICAL CVSS 9.2
An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Joomla File Upload
CVE-2025-7778 CRITICAL CVSS 9.8
The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP WordPress Authentication Bypass RCE
CVE-2025-54475 HIGH CVSS 8.7
A SQL injection vulnerability in the JS Jobs plugin versions 1.3.2-1.4.4 for Joomla allows low-privilege users to execute arbitrary SQL commands. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Joomla
CVE-2025-54474 HIGH CVSS 8.5
A SQLi vulnerability in DJ-Classifieds component 3.9.2-3.10.1 for Joomla was discovered. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Joomla
CVE-2025-49898 HIGH CVSS 7.6
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.0.14. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-49897 HIGH CVSS 8.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection.1. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-43490 HIGH CVSS 8.4
A potential security vulnerability has been identified in the HPAudioAnalytics service included in the HP Hotkey Support software, which might allow escalation of privilege. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation HP
CVE-2025-24975 HIGH CVSS 7.1
Firebird is a relational database. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Suse Firebird
CVE-2025-9046 HIGH CVSS 7.4
A vulnerability was identified in Tenda AC20 16.03.08.12. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tenda Ac20 Firmware
CVE-2025-9023 HIGH CVSS 7.4
A vulnerability has been found in Tenda AC7 and AC18 15.03.05.19/15.03.06.44. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tenda Ac18 Firmware Ac7 Firmware
CVE-2025-9007 HIGH CVSS 7.4
A vulnerability has been found in Tenda CH22 1.0.0.1. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tenda Ch22 Firmware
CVE-2025-9006 HIGH CVSS 7.4
A vulnerability was identified in Tenda CH22 1.0.0.1. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tenda Ch22 Firmware
CVE-2025-8959 HIGH CVSS 7.5
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Red Hat Hashicorp Suse Go Getter
CVE-2025-8675 HIGH CVSS 8.8
Server-Side Request Forgery (SSRF) vulnerability in Drupal AI SEO Link Advisor allows Server Side Request Forgery.0.0 before 1.0.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Drupal Ai Seo Link Advisor
CVE-2025-8361 HIGH CVSS 7.6
Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.0.0 before 2.18.0. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Drupal Config Pages
CVE-2025-8342 HIGH CVSS 8.1
The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

PHP WordPress Authentication Bypass
CVE-2025-8092 HIGH CVSS 7.6
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).0.0 before 1.2.16. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Drupal Cookies Consent Management
CVE-2025-7650 HIGH CVSS 7.5
The BizCalendar Web plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.0.50 via the 'bizcalv' shortcode. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

PHP WordPress RCE Information Disclosure LFI
CVE-2025-7641 HIGH CVSS 7.5
The Assistant for NextGEN Gallery plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the /wp-json/nextgenassistant/v1.0.0/control REST. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP WordPress Path Traversal
CVE-2025-6025 HIGH CVSS 7.5
The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP WordPress Authentication Bypass
CVE-2025-5048 HIGH CVSS 7.8
A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force a Memory Corruption vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Autocad Autocad Architecture Autocad Electrical
CVE-2025-5047 HIGH CVSS 7.8
A maliciously crafted DGN file, when parsed through Autodesk AutoCAD, can force an Uninitialized Variable vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Information Disclosure Autocad Autocad Architecture Autocad Electrical
CVE-2025-5046 HIGH CVSS 7.8
A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Information Disclosure Autocad Autocad Architecture
CVE-2025-1929 HIGH CVSS 7.2
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Risk Yazılım Teknolojileri Ltd. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-55207 MEDIUM CVSS 5.5
Astro is a web framework for content-driven websites. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect
CVE-2025-55203 MEDIUM CVSS 5.4
Plane is open-source project management software. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS CSRF
CVE-2025-54989 MEDIUM CVSS 5.3
Firebird is a relational database. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Suse Firebird
CVE-2025-52621 MEDIUM CVSS 5.3
HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bigfix Saas
CVE-2025-52620 MEDIUM CVSS 4.3
HCL BigFix SaaS Authentication Service is affected by a Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Bigfix Saas
CVE-2025-52619 MEDIUM CVSS 5.3
HCL BigFix SaaS Authentication Service is affected by a sensitive information disclosure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bigfix Saas
CVE-2025-52618 MEDIUM CVSS 4.3
HCL BigFix SaaS Authentication Service is affected by a SQL injection vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Bigfix Saas
CVE-2025-49432 MEDIUM CVSS 5.3
Missing Authorization vulnerability in FWDesign Ultimate Video Player allows Exploiting Incorrectly Configured Access Control Security Levels.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-43201 MEDIUM CVSS 6.2
This issue was addressed with improved checks. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Apple Android Music Classical
CVE-2025-36088 MEDIUM CVSS 5.4
IBM TS4500 1.11.0.0-D00, 1.11.0.1-C00, 1.11.0.2-C00, and 1.10.00-F00 web GUI is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS IBM Storage Ts4500 Library Firmware Diamondback Tape Library Firmware
CVE-2025-26709 MEDIUM CVSS 5.7
There is an unauthorized access vulnerability in ZTE F50. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Information Disclosure Zte
CVE-2025-9053 MEDIUM CVSS 5.5
A vulnerability has been found in projectworlds Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-9052 MEDIUM CVSS 5.5
A vulnerability was identified in projectworlds Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-9051 MEDIUM CVSS 5.5
A vulnerability was determined in projectworlds Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-9050 MEDIUM CVSS 5.5
A vulnerability was found in projectworlds Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-9047 MEDIUM CVSS 5.5
A vulnerability has been found in projectworlds Visitor Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-9028 MEDIUM CVSS 5.5
A flaw has been found in code-projects Online Medicine Guide 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-9027 MEDIUM CVSS 5.5
A vulnerability has been found in code-projects Online Medicine Guide 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-9026 MEDIUM CVSS 5.5
A vulnerability was identified in D-Link DIR-860L 2.04.B04. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection D-Link
CVE-2025-9024 MEDIUM CVSS 5.5
A vulnerability was found in PHPGurukul Beauty Parlour Management System 1.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi
CVE-2025-9022 MEDIUM CVSS 5.5
A vulnerability was identified in SourceCodester Online Bank Management System up to 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi
CVE-2025-9021 MEDIUM CVSS 5.5
A vulnerability was determined in SourceCodester Online Bank Management System up to 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi
CVE-2025-9016 MEDIUM CVSS 6.4
A vulnerability was identified in Mechrevo Control Center GX V2 5.56.51.48. Rated high severity (CVSS 7.3). No vendor patch available.

Information Disclosure
CVE-2025-9013 MEDIUM CVSS 5.5
A vulnerability has been found in PHPGurukul Online Shopping Portal Project 2.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi
CVE-2025-9012 MEDIUM CVSS 5.5
A vulnerability was identified in PHPGurukul Online Shopping Portal Project 2.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi
CVE-2025-9011 MEDIUM CVSS 5.5
A vulnerability was determined in PHPGurukul Online Shopping Portal Project 2.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi
CVE-2025-9010 MEDIUM CVSS 5.5
A vulnerability was found in itsourcecode Online Tour and Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-9009 MEDIUM CVSS 5.5
A vulnerability has been found in itsourcecode Online Tour and Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-9008 MEDIUM CVSS 5.5
A vulnerability was identified in itsourcecode Online Tour and Travel Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-9002 MEDIUM CVSS 5.5
A vulnerability was identified in Surbowl dormitory-management-php 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-9001 MEDIUM CVSS 5.5
A vulnerability was determined in LemonOS up to nightly-2024-07-12 on LemonOS. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Lemonos
CVE-2025-9000 MEDIUM CVSS 6.4
A vulnerability was found in Mechrevo Control Center GX V2 5.56.51.48. Rated high severity (CVSS 7.3). No vendor patch available.

Information Disclosure
CVE-2025-8996 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.0.0 before 2.2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Drupal Layout Builder Advanced Permissions
CVE-2025-8993 MEDIUM CVSS 5.5
A vulnerability was found in itsourcecode Online Tour and Travel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-8990 MEDIUM CVSS 5.5
A vulnerability was determined in code-projects Online Medicine Guide 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-8989 MEDIUM CVSS 5.5
A vulnerability was found in SourceCodester COVID 19 Testing Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-8905 MEDIUM CVSS 6.3
The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress RCE Code Injection
CVE-2025-8867 MEDIUM CVSS 6.4
The Graphina - Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple chart widget parameters in version 3.1.3 and below. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress XSS
CVE-2025-8720 MEDIUM CVSS 6.4
The Plugin README Parser plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘target’ parameter in all versions up to, and including, 1.3.15 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress XSS
CVE-2025-8680 MEDIUM CVSS 4.3
The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Server-Side Request Forgery in version less than, or equal to, 2.0.0 via the fs_api_request function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress SSRF
CVE-2025-8676 MEDIUM CVSS 4.3
The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in versions less than, or equal to, 2.0.0 via the get_active_plugins function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress Information Disclosure
CVE-2025-8604 MEDIUM CVSS 6.4
The WP Table Builder - WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wptb shortcode in all versions up to, and including, 2.0.12 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress XSS
CVE-2025-8451 MEDIUM CVSS 6.4
The Essential Addons for Elementor - Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘data-gallery-items’ parameter in all. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress XSS
CVE-2025-8362 MEDIUM CVSS 6.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting (XSS).0.0 before 1.10.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Drupal Googletag Manager
CVE-2025-8091 MEDIUM CVSS 4.3
The EventON Lite plugin for WordPress is vulnerable to Information Exposure in all versions less than, or equal to, 2.4.6 via the add_single_eventon and add_eventon shortcodes due to insufficient. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure
CVE-2025-8080 MEDIUM CVSS 4.4
The Alobaidi Captcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

PHP WordPress XSS
CVE-2025-8066 MEDIUM CVSS 4.8
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Bunkerity Bunker Web on Linux allows Phishing.6.2. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Open Redirect
CVE-2025-7961 MEDIUM CVSS 6.9
Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.6.0. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.

RCE Apple macOS Code Injection
CVE-2025-7688 MEDIUM CVSS 6.1
The Add User Meta plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP WordPress CSRF
CVE-2025-7662 MEDIUM CVSS 6.5
The Gestion de tarifs plugin for WordPress is vulnerable to SQL Injection via the 'tarif' and 'intitule' shortcodes in all versions up to, and including, 1.4 due to insufficient escaping on the user. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress SQLi
CVE-2025-7507 MEDIUM CVSS 6.4
The elink - Embed Content plugin for WordPress is vulnerable to Malicious Redirect in all versions up to, and including, 1.1.0. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress Information Disclosure
CVE-2025-5844 MEDIUM CVSS 6.4
The Radius Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subHeadingTagName’ parameter in all versions up to, and including, 2.2.1 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress XSS
CVE-2025-55726 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55725 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55724 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55723 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55722 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55721 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55720 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55719 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55718 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-55285 LOW CVSS 2.6
@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure
CVE-2025-44201 None
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.

Information Disclosure
CVE-2025-31961 LOW CVSS 3.7
HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Connections
CVE-2025-9025 LOW CVSS 2.1
A vulnerability was determined in code-projects Simple Cafe Ordering System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
CVE-2025-9020 LOW CVSS 2.0
A vulnerability was found in PX4 PX4-Autopilot up to 1.15.4.cpp of the component Mavlink Shell Closing Handler. Rated low severity (CVSS 2.0). No vendor patch available.

Buffer Overflow Denial Of Service
CVE-2025-9019 LOW CVSS 1.3
A vulnerability has been found in tcpreplay 4.5.1. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow
CVE-2025-9017 LOW CVSS 2.1
A vulnerability has been found in PHPGurukul Zoo Management System 2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
CVE-2025-9005 LOW CVSS 2.9
A vulnerability was determined in mtons mblog up to 3.5.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure
CVE-2025-9004 LOW CVSS 2.9
A vulnerability was found in mtons mblog up to 3.5.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure
CVE-2025-9003 LOW CVSS 2.0
A vulnerability has been found in D-Link DIR-818LW 1.04. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP XSS D-Link
CVE-2025-8992 LOW CVSS 2.1
A vulnerability has been found in mtons mblog up to 3.5.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF
CVE-2025-8991 LOW CVSS 2.1
A vulnerability was identified in linlinjava litemall up to 1.8.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure
CVE-2025-8013 LOW CVSS 3.8
The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP WordPress SSRF
CVE-2024-12573 None
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.

Information Disclosure

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities