Skip to main content
CVE-2025-57520 MEDIUM POC This Month

A Cross Site Scripting (XSS) vulnerability exists in Decap CMS thru 3.8.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Decap Cms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-47120 MEDIUM This Month

IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 could allow a privileged user to escalate their privileges and attack surface on the host due to the containers running with. Rated medium severity (CVSS 6.4). No vendor patch available.

IBM Privilege Escalation Security Verify Information Queue
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9714 MEDIUM PATCH CISA This Month

Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity.

Buffer Overflow
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2024-45671 MEDIUM This Month

IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM Information Disclosure Security Verify Information Queue
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-57573 MEDIUM This Month

Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the wifiTimeClose parameter in goform/setWifi. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Tenda F3 Firmware
NVD GitHub
CVSS 3.1
5.6
EPSS
0.0%
CVE-2025-57572 MEDIUM This Month

Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the onlineList parameter in goform/setParentControl. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Tenda F3 Firmware
NVD GitHub
CVSS 3.1
5.6
EPSS
0.0%
CVE-2025-57571 MEDIUM This Month

Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Tenda F3 Firmware
NVD GitHub
CVSS 3.1
5.6
EPSS
0.0%
CVE-2025-57570 MEDIUM This Month

Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the QosList parameter in goform/setQoS. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Tenda F3 Firmware
NVD GitHub
CVSS 3.1
5.6
EPSS
0.0%
CVE-2025-57569 MEDIUM This Month

Tenda F3 V12.01.01.48_multi and after is vulnerable to Buffer Overflow via the portList parameter in /goform/setNAT. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Tenda F3 Firmware
NVD GitHub
CVSS 3.1
5.6
EPSS
0.0%
CVE-2025-8681 MEDIUM This Month

Pega Platform versions 7.1.0 to Infinity 24.2.2 are affected by a Stored XSS issue in a user interface component. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Pega Platform
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43886 MEDIUM This Month

Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) a Path Traversal: '.../...//' vulnerability. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Dell Path Traversal Powerprotect Data Manager
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-9979 MEDIUM This Month

The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-43783 MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Digital Experience Platform Liferay Portal
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2024-45669 MEDIUM This Month

IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 could allow a remote user to cause a denial of service due to improper handling of special characters that could lead to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service IBM Security Verify Information Queue
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-43784 MEDIUM PATCH This Month

Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows guest. Rated medium severity (CVSS 6.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Digital Experience Platform Liferay Portal
NVD
CVSS 4.0
6.2
EPSS
0.0%
CVE-2025-43785 MEDIUM PATCH Monitor

Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Digital Experience Platform Liferay Portal
NVD
CVSS 4.0
4.6
EPSS
0.0%
CVE-2025-59035 MEDIUM PATCH Monitor

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Python XSS Indico
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-59034 MEDIUM PATCH Monitor

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Python Indico
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-43938 MEDIUM This Month

Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) a Plaintext Storage of a Password vulnerability. Rated medium severity (CVSS 5.0). No vendor patch available.

Dell Authentication Bypass Powerprotect Data Manager
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-29592 MEDIUM POC This Month

oasys v1.1 is vulnerable to Directory Traversal in ProcedureController. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Path Traversal Oa System
NVD GitHub
CVSS 3.1
5.6
EPSS
0.1%
CVE-2025-20248 MEDIUM This Month

A vulnerability in the installation process of Cisco IOS XR Software could allow an authenticated, local attacker to bypass Cisco IOS XR Software image signature verification and load unsigned. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Cisco Apple Jwt Attack
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-20159 MEDIUM This Month

A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cisco Apple
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-56578 MEDIUM This Month

An issue in RTSPtoWeb v.2.4.3 allows a remote attacker to obtain sensitive information and executearbitrary code via the lack of authentication mechanisms. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.7
EPSS
0.1%
CVE-2025-10227 MEDIUM This Month

Missing Encryption of Sensitive Data (CWE-311) in the Object Archive component in AxxonSoft Axxon One (C-Werk) before 2.0.8 on Windows and Linux allows a local attacker with access to exported. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Axxon One Windows
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-10224 MEDIUM This Month

Improper Authentication (CWE-287) in the LDAP authentication engine in AxxonSoft Axxon One (C-Werk) 2.0.2 and earlier on Windows allows a remote authenticated user to be denied access or misassigned. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Axxon One Windows
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-10223 MEDIUM This Month

Insufficient Session Expiration (CWE-613) in the Web Admin Panel in AxxonSoft Axxon One (C-Werk) prior to 2.0.3 on Windows allows a local or remote authenticated attacker to retain access with. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Axxon One Windows
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-10222 MEDIUM Monitor

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) in the diagnostic dump component in AxxonSoft Axxon One VMS (C-Werk) 2.0.0 through 2.0.1 on Windows allows a local attacker to. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Information Disclosure Axxon One Windows
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-10221 MEDIUM This Month

Insertion of Sensitive Information into Log File (CWE-532) in the ARP Agent component in AxxonSoft Axxon One / AxxonNet / C-WerkNet 2.0.4 and earlier on Windows platforms allows a local attacker to. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Information Disclosure Axxon One Windows
NVD
CVSS 4.0
6.7
EPSS
0.0%
CVE-2025-40725 MEDIUM This Month

Reflected Cross-Site Scripting (XSS) vulnerability in Azon Dominator. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-36758 MEDIUM This Month

It is possible to bypass the clipping level of authentication attempts in SolaX Cloud through the use of the 'Forgot Password' functionality as an oracle. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Oracle
NVD
CVSS 4.0
6.3
EPSS
0.1%
CVE-2025-36757 MEDIUM This Month

It is possible to bypass the administrator login screen on SolaX Cloud. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 4.0
6.3
EPSS
0.1%
CVE-2025-36756 MEDIUM This Month

A problem with missing authorization on SolaX Cloud platform allows taking over any SolaX solarpanel inverter of which the serial number is known. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 4.0
5.8
EPSS
0.1%
CVE-2025-9888 MEDIUM Monitor

The Maspik - Ultimate Spam Protection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.6. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-9857 MEDIUM This Month

The Heateor Login - Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heateor_Facebook_Login' shortcode in all versions up to, and including,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9622 MEDIUM Monitor

The WP Blast | SEO & Performance Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.6. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-9463 MEDIUM This Month

The Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_by’ parameter in all. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-9367 MEDIUM This Month

The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.11.20 due to insufficient input sanitization and output. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-8778 MEDIUM Monitor

The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-7843 MEDIUM This Month

The Auto Save Remote Images (Drafts) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the fetch_images() function. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SSRF PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-7826 MEDIUM This Month

The Testimonial plugin for WordPress is vulnerable to SQL Injection via the 'iNICtestimonial' shortcode in all versions up to, and including, 2.3 due to insufficient escaping on the user supplied. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-6189 MEDIUM This Month

The Duplicate Page and Post plugin for WordPress is vulnerable to time-based SQL Injection via the ‘meta_key’ parameter in all versions up to, and including, 2.9.5 due to insufficient escaping on the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-10142 MEDIUM Monitor

The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to insufficient. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-10126 MEDIUM This Month

The MyBrain Utilities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'mbumap' shortcode in all versions up to, and including, 1.0.8 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-8388 MEDIUM This Month

The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cursor_url’ parameter in all versions up to, and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy