The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 18.1%.
WeGIA is a Web manager for charitable institutions. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
WeiPHP v5.0 and before is vulnerable to SQL Injection via the SucaiController.class.php file and the cancelTemplatee. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Assertion failure in function ngap_build_downlink_nas_transport in file src/amf/ngap-build.c, the Access and Mobility Management Function (AMF) component, in Open5GS thru 2.7.5 allowing attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'doccure_temp_file_uploader' function in all versions up to, and including, 1.4.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cattown is a JavaScript markdown parser. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability (CVE-2025-21172) exists in msdia140.dll due to integer overflow and heap-based overflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The on-endpoint Microsoft vulnerable driver blocklist is not fully synchronized with the online Microsoft recommended driver block rules. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.
FoxCMS v1.2.5 and before is vulnerable to SQL Injection via the column_model parameter in the app/admin/controller/Column.php file. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Maho is a free and open source ecommerce platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The MCP inspector is a developer tool for testing and debugging MCP servers. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Fides is an open-source privacy engineering platform. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
An Insecure Direct Object Reference (IDOR) in Envasadora H2O Eireli - Soda Cristal v40.20.4 allows authenticated attackers to access sensitive data for other users via a crafted HTTP request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary code via uploading a crafted HTML file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Microsoft vulnerable driver block list is implemented as Windows Defender Application Control (WDAC) policy. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.
A cross-site scripting (XSS) vulnerability in Smart Search & Filter Shopify and BigCommerce apps allows a remote attacker to execute arbitrary JavaScript in the web browser of a user, by including a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
JSON::SIMD before version 1.07 and earlier for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability ( CVE-2025-21176 https://www.cve.org/CVERecord ) exists in DiaSymReader.dll due to buffer over-read. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability ( CVE-2024-38229 https://www.cve.org/CVERecord ) exists in EOL ASP.NET when closing an HTTP/3 stream while application code is writing to the response body, a race condition may lead. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Due to an unsecure default configuration HTTP is used instead of HTTPS for the web interface. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An authenticated, low-privileged attacker can obtain credentials stored on the charge controller including the manufacturer password. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A low-privileged remote attacker could gain unauthorized access to critical resources, such as firmware and certificates, due to improper permission handling during the runtime of services (e.g.,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.