THREAT ALERT

ACT NOW CVE-2025-48543 8.8 Android Chrome sandbox contains a use-after-free enabling sandbox escape and local privilege escalation to attack the Android system_server process. | ACT NOW CVE-2025-53690 9.0 Sitecore Experience Manager/Platform through version 9.0 contains a deserialization vulnerability enabling code injection through untrusted data processing. | ACT NOW CVE-2025-9377 8.6 TP-Link Archer C7 and TL-WR841N routers contain an authenticated remote command execution vulnerability in the Parental Control page, affecting end-of-life devices with no patch available. | ACT NOW CVE-2025-55177 5.4 Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | EMERGENCY CVE-2025-57819 10.0 FreePBX 15, 16, and 17 contain SQL injection vulnerabilities enabling unauthenticated access to the administrator interface, leading to database manipulation and remote code execution. | ACT NOW CVE-2025-7775 9.2 Citrix NetScaler ADC and Gateway contain a memory overflow vulnerability enabling remote code execution and denial of service when configured as VPN, AAA, or load balancing virtual servers. | EMERGENCY CVE-2025-43300 10.0 Apple iOS/iPadOS contain an out-of-bounds write in image processing that allows code execution through malicious images, exploited in extremely sophisticated targeted attacks against specific individuals. | EMERGENCY CVE-2025-7441 9.8 The StoryChief WordPress plugin through version 1.0.42 contains an unauthenticated arbitrary file upload via the /wp-json/storychief/webhook REST API endpoint. Insufficient file type validation allows attackers to upload executable PHP files, achieving remote code execution on the WordPress server. | EMERGENCY CVE-2025-8876 9.4 N-able N-central before 2025.3.1 contains an OS command injection through improper input validation, companion vulnerability to CVE-2025-8875. | ACT NOW CVE-2025-8875 9.4 N-able N-central before 2025.3.1 contains a deserialization vulnerability allowing local code execution through crafted serialized data. | ACT NOW CVE-2025-8943 9.8 Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS commands. The combination of no default authentication and the ability to spawn local processes via tools like npx enables unauthenticated remote code execution on any Flowise installation. | ACT NOW CVE-2025-8088 8.4 WinRAR for Windows contains a path traversal vulnerability allowing crafted archives to execute arbitrary code, discovered by ESET and exploited in the wild for targeted attacks. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — September 05, 2025

237 CVEs tracked today. 10 Critical, 64 High, 151 Medium, 10 Low.

CVE-2025-58206 CRITICAL CVSS 9.8
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MaxCoach allows PHP Local File Inclusion.2.5. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Lfi PHP Information Disclosure
CVE-2025-35452 CRITICAL CVSS 9.2
PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use default, shared credentials for the administrative web interface. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Pt12X Sdi Xx G2 Firmware Pt12X Ndi Xx Firmware Pt12X Usb Xx G2 Firmware Pt20X Sdi Xx G2 Firmware
CVE-2025-35451 CRITICAL CVSS 9.3
PTZOptics and possibly other ValueHD-based pan-tilt-zoom cameras use hard-coded, default administrative credentials. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Pt12X Sdi Xx G2 Firmware Pt12X Ndi Xx Firmware Pt12X Usb Xx G2 Firmware Pt20X Sdi Xx G2 Firmware
CVE-2025-58819 CRITICAL CVSS 9.1
Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image allows Upload a Web Shell to a Web Server.2.2. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
CVE-2025-58628 CRITICAL CVSS 9.3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous allows Blind SQL Injection. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
CVE-2025-58371 CRITICAL CVSS 9.9
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection RCE Roo Code
CVE-2025-58367 CRITICAL CVSS 10.0
DeepDiff is a project focused on Deep Difference and search of any Python data. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Python RCE Deserialization Suse
CVE-2025-58366 CRITICAL CVSS 9.4
Onyxia is a data science environment for kubernetes. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Kubernetes
CVE-2025-55037 CRITICAL CVSS 9.3
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
CVE-2025-49401 CRITICAL CVSS 9.8
Deserialization of Untrusted Data vulnerability in ExpressTech Systems Quiz And Survey Master allows Object Injection.2.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
CVE-2025-58881 HIGH CVSS 8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus New Simple Gallery allows Blind SQL Injection.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-58861 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in WP Corner Quick Event Calendar allows Stored XSS.4.9. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58860 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in KaizenCoders Enable Latex allows Stored XSS.2.16. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58859 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in David Merinas Add to Feedly allows Stored XSS.2.11. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58857 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KaizenCoders Table of content allows Stored XSS.5.3.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-58855 HIGH CVSS 7.1
Improper Neutralization of Formula Elements in a CSV File vulnerability in Denis V (Artprima) AP HoneyPot WordPress Plugin allows Reflected XSS.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-58854 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in Samer Bechara Ultimate AJAX Login allows Reflected XSS.2.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58853 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Popping Sidebars and Widgets Light allows Reflected XSS.27. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58852 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in Mark O'Donnell MSTW League Manager allows Stored XSS.10. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58849 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in Deepak S Hide Real Download Path allows Stored XSS.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58848 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in aakash1911 WP likes allows Reflected XSS.1.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58847 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in Yaidier WN Flipbox Pro allows Reflected XSS.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58846 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in Dejan Markovic WordPress Buffer - HYPESocial. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF XSS PHP
CVE-2025-58845 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in ChrisHurst Bulk Watermark allows Reflected XSS.6.10. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58844 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in Subhash Kumar Database to Excel allows Stored XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58843 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in David Merinas Auto Last Youtube Video allows Stored XSS.0.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58839 HIGH CVSS 7.2
Deserialization of Untrusted Data vulnerability in aThemeArt Translations eDS Responsive Menu allows Object Injection.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
CVE-2025-58833 HIGH CVSS 8.8
Cross-Site Request Forgery (CSRF) vulnerability in INVELITY Invelity MyGLS connect allows Object Injection.1.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-58815 HIGH CVSS 7.2
Deserialization of Untrusted Data vulnerability in Rubel Miah Aitasi Coming Soon allows Object Injection.0.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
CVE-2025-58809 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in Nick Ciske To Lead For Salesforce allows Reflected XSS.7.3.9. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58807 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in Dsingh Purge Varnish Cache allows Stored XSS.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58806 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in imjoehaines WordPress Error Monitoring by Bugsnag allows Stored XSS.6.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF XSS PHP
CVE-2025-58789 HIGH CVSS 7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeisle WP Full Stripe Free allows SQL Injection.3.0. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-58788 HIGH CVSS 7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal License Manager for WooCommerce allows Blind SQL Injection.0.12. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
CVE-2025-58780 HIGH CVSS 7.2
index.em7 in ScienceLogic SL1 before 12.1.1 allows SQL Injection via a parameter in a request. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
CVE-2025-58400 HIGH CVSS 8.4
RATOC RAID Monitoring Manager for Windows provided by RATOC Systems, Inc. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

RCE Microsoft Windows
CVE-2025-58372 HIGH CVSS 8.1
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Roo Code
CVE-2025-58370 HIGH CVSS 8.1
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Command Injection Roo Code
CVE-2025-58362 HIGH CVSS 7.5
Hono is a Web application framework that provides support for any JavaScript runtime. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Nginx Hono
CVE-2025-58296 HIGH CVSS 7.5
Race condition vulnerability in the audio module. Rated high severity (CVSS 7.5). No vendor patch available.

Information Disclosure Race Condition Harmonyos
CVE-2025-58281 HIGH CVSS 8.4
Out-of-bounds read vulnerability in the runtime interpreter module. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Harmonyos
CVE-2025-58280 HIGH CVSS 8.4
Vulnerability of exposing object heap addresses in the Ark eTS module. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Prototype Pollution Information Disclosure Harmonyos
CVE-2025-58214 HIGH CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Indutri allows PHP Local File Inclusion. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Lfi PHP Information Disclosure
CVE-2025-58179 HIGH CVSS 7.2
Astro is a web framework for content-driven websites. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Astrojs Cloudflare
CVE-2025-57889 HIGH CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RealMag777 InPost Gallery allows PHP Local File Inclusion.1.4.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Lfi PHP Information Disclosure
CVE-2025-55671 HIGH CVSS 8.5
Uncontrolled search path element issue exists in TkEasyGUI versions prior to v1.0.22. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE
CVE-2025-53307 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brent Jett Assistant allows Reflected XSS.5.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-48317 HIGH CVSS 7.5
Path Traversal vulnerability in Stefan Keller WooCommerce Payment Gateway for Saferpay allows Path Traversal.4.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Path Traversal PHP
CVE-2025-48104 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in ericzane Floating Window Music Player allows Stored XSS.4.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-39723 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix unbuffered write error handling If all the subrequests in an unbuffered write stream fail, the subrequest collector. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Memory Corruption Denial Of Service Buffer Overflow Linux Linux Kernel
CVE-2025-39719 HIGH CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved: iio: imu: bno055: fix OOB access of hw_xlate array Fix a potential out-of-bounds array access of the hw_xlate array in bno055.c. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Linux Buffer Overflow Information Disclosure Linux Kernel Debian Linux
CVE-2025-39717 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE As described in commit 7a54947e727b ('Merge patch series. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Memory Corruption Use After Free Authentication Bypass Linux Linux Kernel
CVE-2025-39711 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls Both the ACE and CSI driver are missing a. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Dell Linux Memory Corruption Use After Free Denial Of Service
CVE-2025-39710 HIGH CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved: media: venus: Add a check for packet size after reading from shared memory Add a check to ensure that the packet size does not. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Linux Buffer Overflow Information Disclosure Linux Kernel Debian Linux
CVE-2025-39702 HIGH CVSS 7.0
A timing attack vulnerability exists in the Linux kernel's IPv6 Segment Routing (SR) implementation where MAC (Message Authentication Code) comparisons are performed using non-constant-time operations. This timing side-channel weakness (CWE-203) affects multiple Linux kernel versions and could allow a local attacker with low privileges to potentially extract cryptographic secrets by measuring subtle timing differences during MAC validation. With an EPSS score of 0.02% (4th percentile), exploitation likelihood is very low, and patches are available from the vendor.

Linux Information Disclosure Debian Linux Linux Kernel Redhat
CVE-2025-39701 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: ACPI: pfr_update: Fix the driver update version check The security-version-number check should be used rather than the runtime. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Debian Linux Redhat
CVE-2025-39691 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free when call bh_read() helper There's issue as follows: BUG: KASAN: stack-out-of-bounds in. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Memory Corruption Buffer Overflow Use After Free Linux Linux Kernel
CVE-2025-39689 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: ftrace: Also allocate and copy hash for reading of filter files Currently the reader of set_ftrace_filter and set_ftrace_notrace. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Memory Corruption Use After Free Information Disclosure Linux Linux Kernel
CVE-2025-39687 HIGH CVSS 7.1
A local information disclosure vulnerability exists in the Linux kernel's AS73211 IIO light sensor driver where uninitialized buffer memory (padding holes) is not zeroed before being copied to a kfifo accessible to userspace. This allows a local authenticated attacker to read sensitive kernel memory contents. With a very low EPSS score of 0.01% (3rd percentile) and no known active exploitation, this represents a theoretical rather than actively exploited risk.

Linux Information Disclosure Linux Kernel Debian Linux Redhat
CVE-2025-39686 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bits() do insn->n samples The `insn_rw_emulate_bits()` function is used as a default handler for. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Debian Linux Redhat
CVE-2025-39685 HIGH CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved: comedi: pcl726: Prevent invalid irq number The reproducer passed in an irq number(0x80008000) that was too large, which triggered. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Linux Buffer Overflow Information Disclosure Linux Kernel Debian Linux
CVE-2025-39683 HIGH CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved: tracing: Limit access to parser->buffer when trace_get_user failed When the length of the string written to set_ftrace_filter. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Linux Buffer Overflow Information Disclosure Linux Kernel Debian Linux
CVE-2025-39682 HIGH CVSS 7.1
This vulnerability in the Linux kernel's TLS receive path allows a local attacker with low privileges to cause a denial of service or potentially leak sensitive information in memory. The flaw occurs when handling zero-length TLS records on the rx_list, where the kernel fails to properly handle the corner case of zero-length initial records during zero-copy decryption operations. With an EPSS score of only 0.01% (1st percentile), active exploitation is highly unlikely despite the 7.1 CVSS score, and patches are available from the vendor.

Linux Tls Denial Of Service Debian Linux Linux Kernel
CVE-2025-39680 HIGH CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved: i2c: rtl9300: Fix out-of-bounds bug in rtl9300_i2c_smbus_xfer The data->block[0] variable comes from user. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Linux Buffer Overflow Information Disclosure Linux Kernel Redhat
CVE-2025-38736 HIGH CVSS 7.1
In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Syzbot reported shift-out-of-bounds exception on MDIO bus. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Linux Buffer Overflow Information Disclosure Linux Kernel Debian Linux
CVE-2025-38734 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix UAF on smcsk after smc_listen_out() BPF CI testing report a UAF issue: [ 16.446633] BUG: kernel NULL pointer. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Debian Linux Memory Corruption Use After Free Denial Of Service
CVE-2025-38731 HIGH CVSS 7.8
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix vm_bind_ioctl double free bug If the argument check during an array bind fails, the bind_ops are freed twice as seen. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Information Disclosure Linux Intel Linux Kernel Redhat
CVE-2025-32320 HIGH CVSS 7.8
In System UI, there is a possible way to view other users' images due to a confused deputy. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Android Google
CVE-2025-32318 HIGH CVSS 8.8
In Skia, there is a possible out of bounds write due to a heap buffer overflow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow Privilege Escalation Android Google
CVE-2025-30199 HIGH CVSS 7.5
ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Deebot X1S Pro Firmware Deebot X1 Pro Omni Firmware Deebot X1 Omni Firmware Deebot X1 Turbo Firmware
CVE-2025-9999 HIGH CVSS 7.6
Some payload elements of the messages sent between two stations in a networking architecture are not properly checked on the receiving station allowing an attacker to execute unauthorized commands in. Rated high severity (CVSS 7.6), this vulnerability is no authentication required. No vendor patch available.

Authentication Bypass
CVE-2025-9990 HIGH CVSS 8.1
The WordPress Helpdesk Integration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.8.10 via the portal_type parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress Lfi PHP RCE Information Disclosure
CVE-2025-9709 HIGH CVSS 8.6
On-Chip Debug and Test Interface With Improper Access Control and Improper Protection against Electromagnetic Fault Injection (EM-FI) in Nordic Semiconductor nRF52810 allow attacker to perform EM. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-9566 HIGH CVSS 8.1
A path traversal vulnerability in Podman allows attackers with low-privileged access to overwrite arbitrary files on the host system when using the 'kube play' command with maliciously crafted Kubernetes manifests containing Secret or ConfigMap volume mounts with symbolic links. While the attacker cannot control the content written to the target file, they can cause denial of service or integrity issues by overwriting critical system files. The vulnerability has a low EPSS score of 0.05%, indicating minimal real-world exploitation activity observed so far.

Linux Docker Path Traversal Redhat Suse
CVE-2025-58887 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Course Finder | andré martin - it solutions & research UG Course Booking Platform allows Stored. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58886 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tan Nguyen Instant Locations allows Stored XSS.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58884 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ivan Drago vipdrv allows Stored XSS.0.3. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58883 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Thomas Harris Search Cloud One allows Stored XSS.2.5. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58882 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in w1zzard Simple Text Slider allows Stored XSS.0.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58880 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in reubenthiessen Translate This gTranslate Shortcode allows Stored XSS.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58878 MEDIUM CVSS 6.5
Cross-Site Request Forgery (CSRF) vulnerability in usamafarooq Woocommerce Gifts Product allows Cross Site Request Forgery.0.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
CVE-2025-58876 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ali Aghdam Aparat Video Shortcode allows Stored XSS.2.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58875 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sudar Muthu WP Github Gist allows Stored XSS.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58874 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in josepsitjar StoryMap allows DOM-Based XSS.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58873 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pusheco Pushe Web Push Notification allows Stored XSS.5.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58872 MEDIUM CVSS 6.5
Insertion of Sensitive Information Into Sent Data vulnerability in premiumbizthemes Simple Price Calculator allows Retrieve Embedded Sensitive Data.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-58871 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Luis Rock Master Paper Collapse Toggle allows Stored XSS.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58870 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DeBAAT WP-GraphViz allows DOM-Based XSS.5.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58869 MEDIUM CVSS 6.5
Cross-Site Request Forgery (CSRF) vulnerability in Simasicher SimaCookie allows Stored XSS.3.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-58868 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simasicher SimaCookie allows Stored XSS.3.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58867 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Remi Corson Easy Download Media Counter allows Stored XSS.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58865 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in reimund Compact Admin allows Cross Site Request Forgery.3.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-58864 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iamroody 金数据 allows Stored XSS.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58863 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SdeWijs Zoomify embed for WP allows Stored XSS.5.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58862 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in George Sexton WordPress Events Calendar Plugin - connectDaily allows Stored XSS.5.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-58858 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Image Widget allows Stored XSS.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58856 MEDIUM CVSS 6.5
Cross-Site Request Forgery (CSRF) vulnerability in ablancodev Woocommerce Notify Updated Product allows Stored XSS.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF XSS PHP
CVE-2025-58851 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DigitalCourt Boxed Content allows Stored XSS.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58850 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in marcshowpass Showpass WordPress Extension allows Stored XSS.0.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-58842 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in givecloud Donation Forms WP by Givecloud allows Stored XSS.0.9. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58841 MEDIUM CVSS 5.5
Incorrect Privilege Assignment vulnerability in John Luetke Media Author allows Privilege Escalation.0.4. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
CVE-2025-58840 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ibnul H. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58838 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zakir Smooth Accordion allows Stored XSS.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58837 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shiful H SS Font Awesome Icon allows Stored XSS.1.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58836 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tikolan FW Anker allows Stored XSS.2.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58835 MEDIUM CVSS 5.3
Improper Validation of Specified Quantity in Input vulnerability in calliko Bonus for Woo allows Accessing Functionality Not Properly Constrained by ACLs.4.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-58834 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gugu short.io allows DOM-Based XSS.io: from n/a through 2.4.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58832 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Search by Google allows Stored XSS.9. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google XSS
CVE-2025-58831 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in snagysandor Parallax Scrolling Enllax.js allows Cross Site Request Forgery.js: from n/a through 0.0.6. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-58830 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in snagysandor Parallax Scrolling Enllax.js allows Stored XSS.js: from n/a through 0.0.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58829 MEDIUM CVSS 4.9
Server-Side Request Forgery (SSRF) vulnerability in aitool Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One allows Server Side Request Forgery.2.6. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

SSRF
CVE-2025-58828 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codemstory 코드엠샵 소셜톡 allows Stored XSS.2.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58826 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric Mann WP Publication Archive allows Stored XSS.0.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58825 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Habibur Rahman Comment Form WP – Customize Default Comment Form allows Stored XSS.0.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58824 MEDIUM CVSS 4.3
Missing Authorization vulnerability in webriti Shk Corporate allows Exploiting Incorrectly Configured Access Control Security Levels.4.1.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-58823 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The African Boss Get Cash allows Stored XSS.2.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58822 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail allows DOM-Based XSS.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58821 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdever WP Notification Bell allows Stored XSS.4.5. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58820 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Carousel Ultimate allows Stored XSS.8. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58818 MEDIUM CVSS 5.4
Cross-Site Request Forgery (CSRF) vulnerability in SwiftNinjaPro Developer Tools Blocker allows Cross Site Request Forgery.2.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-58817 MEDIUM CVSS 4.3
Missing Authorization vulnerability in DesertThemes SoftMe allows Exploiting Incorrectly Configured Access Control Security Levels.1.24. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-58814 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ram Ratan Maurya Stagtools allows Stored XSS.3.8. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58813 MEDIUM CVSS 4.3
Missing Authorization vulnerability in ThemeArile Consultstreet allows Exploiting Incorrectly Configured Access Control Security Levels.0.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-58812 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PriceListo Best Restaurant Menu by PriceListo allows Stored XSS.4.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58811 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP CodeUs Ultimate Client Dash allows Stored XSS.6. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58810 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jimmywb Simple Link List Widget allows Stored XSS.3.2. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58808 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Babar prettyPhoto allows Stored XSS.2.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58805 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Widgetize Pages Light allows Stored XSS.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58804 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in brijrajs WooCommerce Single Page Checkout allows Cross Site Request Forgery.2.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
CVE-2025-58802 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in michalzagdan TrustMate.io - WooCommerce integration allows Cross Site Request Forgery.io - WooCommerce integration: from n/a through 1.14.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
CVE-2025-58801 MEDIUM CVSS 5.4
Cross-Site Request Forgery (CSRF) vulnerability in KCS Responder allows Cross Site Request Forgery.3.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-58800 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Steve Truman WP Email Template allows Cross Site Request Forgery.8.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-58799 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in themelocation Custom WooCommerce Checkout Fields Editor allows Cross Site Request Forgery.3.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
CVE-2025-58798 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Bjorn Manintveld BCM Duplicate Menu allows Cross Site Request Forgery.1.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-58797 MEDIUM CVSS 5.3
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Mahmudul Hasan Arif Ninja Charts allows Retrieve Embedded Sensitive Data.3.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-58796 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dudaster Elementor Element Condition allows Stored XSS.0.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58795 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Payoneer Inc. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-58794 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in rainafarai Notification for Telegram allows Cross Site Request Forgery.4.6. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-58793 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Elementor Addons allows Stored XSS.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58792 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in WPKube Authors List allows Cross Site Request Forgery.0.6.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-58791 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arjan Olsder SEO Auto Linker allows Stored XSS.5.3. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58790 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPKube Kiwi allows Stored XSS.1.8. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58787 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Popup allows Stored XSS.4.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58786 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VW THEMES Ibtana - Ecommerce Product Addons allows DOM-Based XSS.4.7.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58785 MEDIUM CVSS 5.4
Missing Authorization vulnerability in jbhovik Ray Enterprise Translation allows Exploiting Incorrectly Configured Access Control Security Levels.7.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-58784 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arisoft ARI Fancy Lightbox allows Stored XSS.4.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-58783 MEDIUM CVSS 4.3
Missing Authorization vulnerability in gutentor Gutentor allows Exploiting Incorrectly Configured Access Control Security Levels.5.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-58401 MEDIUM CVSS 5.1
Obsidian GitHub Copilot Plugin versions prior to 1.1.7 store Github API token in cleartext form. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-58373 MEDIUM CVSS 5.5
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Roo Code
CVE-2025-58369 MEDIUM CVSS 5.3
fs2 is a compositional, streaming I/O library for Scala. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
CVE-2025-58359 MEDIUM CVSS 6.0
ZF FROST is a Rust implementation of FROST (Flexible Round-Optimised Schnorr Threshold signatures). Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-58313 MEDIUM CVSS 5.1
Race condition vulnerability in the device standby module. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure Race Condition Harmonyos
CVE-2025-58276 MEDIUM CVSS 6.8
Permission verification vulnerability in the home screen module Impact: Successful exploitation of this vulnerability may affect availability. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Emui Harmonyos
CVE-2025-55739 MEDIUM CVSS 5.1
api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-54744 MEDIUM CVSS 6.5
Missing Authorization vulnerability in Stylemix MasterStudy LMS allows Exploiting Incorrectly Configured Access Control Security Levels.6.15. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-53791 MEDIUM CVSS 4.7
Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Google Microsoft Edge Chromium Chrome
CVE-2025-53571 MEDIUM CVSS 6.5
Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels.0.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-48395 MEDIUM CVSS 4.7
An attacker with authenticated and privileged access could modify the contents of a non-sensitive file by traversing the path in the limited shell of the CLI. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
CVE-2025-48105 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vincent Boiardt Easy Flash Embed allows Stored XSS.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-48103 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mulscully Today's Date Inserter allows Stored XSS.2.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-48102 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gourl GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership allows Stored XSS.6.6. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-41408 MEDIUM CVSS 5.3
Improper authorization in handler for custom URL scheme issue in "Yahoo!. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Android
CVE-2025-39726 MEDIUM CVSS 4.7
In the Linux kernel, the following vulnerability has been resolved: s390/ism: fix concurrency management in ism_cmd() The s390x ISM device data sheet clearly states that only one request-response. Rated medium severity (CVSS 4.7).

Linux Information Disclosure Race Condition Linux Kernel Redhat
CVE-2025-39725 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list In shrink_folio_list(), the hwpoisoned folio may be large. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Huawei Linux Linux Kernel
CVE-2025-39724 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Debian Linux Redhat
CVE-2025-39722 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: crypto: caam - Prevent crash on suspend with iMX8QM / iMX8ULP Since the CAAM on these SoCs is managed by another ARM core, called. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Denial Of Service Linux Linux Kernel Redhat Suse
CVE-2025-39721 MEDIUM CVSS 5.5
A use-after-free vulnerability exists in the Linux kernel's QAT (QuickAssist Technology) crypto driver that can crash the system when device-specific QAT drivers (such as qat_4xxx.ko) are repeatedly loaded and unloaded while the core intel_qat.ko driver remains resident. The vulnerability occurs when a power management interrupt triggers a deferred work routine that executes after the device driver has been unloaded, causing the routine to dereference freed memory and trigger a kernel panic. This affects all Linux kernel versions with the vulnerable QAT driver code, and while the EPSS score is low (0.02%, percentile 5%), a vendor patch is available and the vulnerability is confirmed reproducible.

Linux Denial Of Service Use After Free Linux Kernel Redhat
CVE-2025-39720 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix refcount leak causing resource not released When ksmbd_conn_releasing(opinfo->conn) returns true,the refcount was not. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Redhat Suse
CVE-2025-39718 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skb_put() When receiving a vsock packet in the guest, only the virtqueue. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Memory Corruption Buffer Overflow Linux Linux Kernel Debian Linux
CVE-2025-39716 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to probe user read access Because of the way read access support is implemented, read access. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Debian Linux Redhat
CVE-2025-39715 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: parisc: Revise gateway LWS calls to probe user read access We use load and stbys,e instructions to trigger memory reference. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Debian Linux Redhat
CVE-2025-39714 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Lock resolution while streaming When an program is streaming (ffplay) and another program (qv4l2) changes the TV. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Denial Of Service Linux Linux Kernel Debian Linux Redhat
CVE-2025-39713 MEDIUM CVSS 4.7
In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() In the interrupt handler rain_interrupt(), the buffer full. Rated medium severity (CVSS 4.7).

Buffer Overflow Linux Linux Kernel Debian Linux Redhat
CVE-2025-39712 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval Getting / Setting the frame interval using the V4L2 subdev. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Redhat Suse
CVE-2025-39709 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: media: venus: protect against spurious interrupts during probe Make sure the interrupt handler is initialized before the interrupt. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Linux Linux Kernel Debian Linux
CVE-2025-39708 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: media: iris: Fix NULL pointer dereference A warning reported by smatch indicated a possible null pointer dereference where one of. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Denial Of Service Null Pointer Dereference Linux Linux Kernel Redhat
CVE-2025-39707 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities HUBBUB structure is not initialized on DCE hardware, so check. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Linux Linux Kernel Redhat
CVE-2025-39706 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Since KFD proc content was moved to kernel debugfs, we can't destroy KFD. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Linux Linux Kernel Debian Linux
CVE-2025-39705 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix a Null pointer dereference vulnerability [Why] A null pointer dereference vulnerability exists in the AMD. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Denial Of Service Null Pointer Dereference Amd Linux Linux Kernel
CVE-2025-39704 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix stack protector issue in send_ipi_data() Function kvm_io_bus_read() is called in function send_ipi_data(),. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Buffer Overflow Linux Linux Kernel Redhat Suse
CVE-2025-39703 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if skb can't hold tag Receiving HSR frame with insufficient space to hold HSR tag in the skb can result. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Linux Linux Kernel Debian Linux
CVE-2025-39700 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: mm/damon/ops-common: ignore migration request to invalid nodes damon_migrate_pages() tries migration even if the target node is. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Redhat Suse
CVE-2025-39699 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: iommu/riscv: prevent NULL deref in iova_to_phys The riscv_iommu_pte_fetch() function returns either NULL for unmapped/never-mapped. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Linux Linux Kernel Redhat
CVE-2025-39698 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Memory Corruption Use After Free Information Disclosure Linux Linux Kernel
CVE-2025-39697 MEDIUM CVSS 4.7
In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a race when updating an existing write After nfs_lock_and_join_requests() tests for whether the request is still attached. Rated medium severity (CVSS 4.7).

Linux Information Disclosure Race Condition Linux Kernel Debian Linux
CVE-2025-39696 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: tas2781: Fix wrong reference of tasdevice_priv During the conversion to unify the calibration data management, the. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Buffer Overflow Linux Linux Kernel Redhat Suse
CVE-2025-39695 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Flush delayed SKBs while releasing RXE resources When skb packets are sent out, these skb packets still depends on the. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Redhat Suse
CVE-2025-39694 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix SCCB present check Tracing code called by the SCLP interrupt handler contains early exits if the SCCB address. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Linux Linux Kernel Debian Linux
CVE-2025-39693 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid a NULL pointer dereference [WHY] Although unlikely drm_atomic_get_new_connector_state() or. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Denial Of Service Null Pointer Dereference Amd Linux Linux Kernel
CVE-2025-39692 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() We can't call destroy_workqueue(smb_direct_wq); before. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Linux Linux Kernel Debian Linux
CVE-2025-39690 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: iio: accel: sca3300: fix uninitialized iio scan data Fix potential leak of uninitialized stack data to userspace by ensuring that. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Information Disclosure Linux Linux Kernel Redhat Suse
CVE-2025-39684 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Information Disclosure Linux Linux Kernel Debian Linux Redhat
CVE-2025-39681 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Since 923f3a2b48bd ("x86/resctrl: Query LLC monitoring. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Debian Linux Redhat
CVE-2025-39679 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor(). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Redhat Suse
CVE-2025-39678 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd/hsmp: Ensure sock->metric_tbl_addr is non-NULL If metric table address is not allocated, accessing metrics_bin. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Amd Linux Linux Kernel
CVE-2025-39677 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix backlog accounting in qdisc_dequeue_internal This issue applies for the following qdiscs: hhf, fq, fq_codel, and. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Redhat Suse
CVE-2025-39676 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() function is supposed to return NULL on. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Linux Linux Kernel Debian Linux
CVE-2025-39675 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() The function mod_hdcp_hdcp1_create_session() calls the. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Amd Linux Linux Kernel
CVE-2025-39674 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: ufs-qcom: Fix ESI null pointer dereference ESI/MSI is a performance optimization feature that provides dedicated. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Denial Of Service Null Pointer Dereference Linux Linux Kernel Redhat
CVE-2025-39673 MEDIUM CVSS 4.7
In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp_fill_forward_path ppp_fill_forward_path() has two race conditions: 1. Rated medium severity (CVSS 4.7).

Linux Information Disclosure Race Condition Linux Kernel Debian Linux
CVE-2025-38737 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: cifs: Fix oops due to uninitialised variable Fix smb3_init_transform_rq() to initialise buffer to NULL before calling. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Information Disclosure Linux Linux Kernel Redhat Suse
CVE-2025-38735 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: gve: prevent ethtool ops after shutdown A crash can occur if an ethtool operation is invoked after shutdown() is called. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Linux Linux Kernel Debian Linux
CVE-2025-38733 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: s390/mm: Do not map lowcore with identity mapping Since the identity mapping is pinned to address zero the lowcore is always also. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Denial Of Service Null Pointer Dereference Linux Linux Kernel Redhat
CVE-2025-38732 MEDIUM CVSS 5.5
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches to add a WARN() when replacing skb dst entry. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Linux Linux Kernel Debian Linux Redhat
CVE-2025-32317 MEDIUM CVSS 5.5
In App Widget, there is a possible Information Disclosure due to a confused deputy. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Android Google
CVE-2025-32316 MEDIUM CVSS 5.5
In gralloc4, there is a possible out of bounds write due to a missing bounds check. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Information Disclosure Android Google
CVE-2025-27003 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in fullworks Quick Paypal Payments allows Cross Site Request Forgery.7.46. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-26434 MEDIUM CVSS 5.5
In libxml2, there is a possible out of bounds read due to a buffer overflow. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Android Google Redhat
CVE-2025-10061 MEDIUM CVSS 6.5
An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service MongoDB
CVE-2025-10060 MEDIUM CVSS 6.5
MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service MongoDB
CVE-2025-10059 MEDIUM CVSS 6.5
An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service MongoDB
CVE-2025-10044 MEDIUM CVSS 4.3
A flaw was found in Keycloak. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Redhat
CVE-2025-10027 MEDIUM CVSS 5.1
A vulnerability was determined in itsourcecode POS Point of Sale System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Point Of Sale System
CVE-2025-10026 MEDIUM CVSS 5.1
A vulnerability was found in itsourcecode POS Point of Sale System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Point Of Sale System
CVE-2025-10025 MEDIUM CVSS 6.9
A vulnerability has been found in PHPGurukul Online Course Registration 3.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Course Registration
CVE-2025-10013 MEDIUM CVSS 5.3
A vulnerability was detected in Portabilis i-Educar up to 2.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure I Educar
CVE-2025-10012 MEDIUM CVSS 5.3
A security vulnerability has been detected in Portabilis i-Educar up to 2.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi I Educar
CVE-2025-10011 MEDIUM CVSS 5.3
A weakness has been identified in Portabilis i-Educar up to 2.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi I Educar
CVE-2025-9998 MEDIUM CVSS 6.0
The sequence of packets received by a Networking server are not correctly checked. Rated medium severity (CVSS 6.0), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure
CVE-2025-9057 MEDIUM CVSS 6.4
The Biagiotti Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-8944 MEDIUM CVSS 4.3
The OceanWP WordPress theme before 4.1.2 is vulnerable to an option update due to a missing capability check on one of its AJAX request handler, allowing any authenticated users, such as subscriber. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Oceanwp PHP
CVE-2025-8695 MEDIUM CVSS 5.4
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netcad NetGIS Server allows Reflected XSS.2.4 through 22.08.2025. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-8684 MEDIUM CVSS 6.4
The Flatsome Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.20.0 due to insufficient input sanitization and output. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-7445 MEDIUM CVSS 6.5
Kubernetes secrets-store-sync-controller in versions before 0.0.2 discloses service account tokens in logs. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Suse
CVE-2024-0028 MEDIUM CVSS 5.5
In Audio Service, there is a possible way to obtain MAC addresses of nearby Bluetooth devices due to a missing permission check. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Privilege Escalation Android Google
CVE-2025-58866 LOW CVSS 2.7
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Rami Yushuvaev Site Info allows Retrieve Embedded Sensitive Data.1. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-58827 LOW CVSS 3.8
Improper Control of Generation of Code ('Code Injection') vulnerability in PickPlugins Job Board Manager allows Code Injection.1.61. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
CVE-2025-58816 LOW CVSS 3.5
Missing Authorization vulnerability in Plugin Devs Product Carousel Slider for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.1.3. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-58440 None
Rejected reason: The unisharp/laravel-filemanager is a separate project, unrelated to laravel-filemanager. No vendor patch available.

Information Disclosure
CVE-2025-58352 LOW CVSS 2.1
Weblate is a web based localization tool. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable.

Information Disclosure Weblate
CVE-2025-57807 LOW CVSS 3.8
ImageMagick is free and open-source software used for editing and manipulating digital images. Rated low severity (CVSS 3.8). Public exploit code available.

Heap Overflow Buffer Overflow Imagemagick
CVE-2025-30200 LOW CVSS 2.3
ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived. Rated low severity (CVSS 2.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Deebot X1S Pro Firmware Deebot X1 Pro Omni Firmware Deebot X1 Omni Firmware Deebot X1 Turbo Firmware
CVE-2025-30198 LOW CVSS 2.3
ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived. Rated low severity (CVSS 2.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Deebot X1S Pro Firmware Deebot X1 Pro Omni Firmware Deebot X1 Omni Firmware Deebot X1 Turbo Firmware
CVE-2025-26461 LOW CVSS 3.3
In Permission Manager, there is a possible way for the microphone privacy indicator to remain activated even after the user attempts to close the app due to a logic error in the code. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Android Google
CVE-2025-10043 None
Rejected reason: Considered by the maintainers a bug scenario experienced rather than a vulnerability. No vendor patch available.

Information Disclosure
CVE-2025-10014 LOW CVSS 2.3
A flaw has been found in elunez eladmin up to 2.7. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Eladmin
CVE-2024-21977 LOW CVSS 3.2
Incomplete cleanup after loading a CPU microcode patch may allow a privileged attacker to degrade the entropy of the RDRAND instruction, potentially resulting in loss of integrity for SEV-SNP guests. Rated low severity (CVSS 3.2), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure

Today's Vulnerabilities Vulnerabilities