THREAT ALERT

ACT NOW CVE-2025-20362 6.5 Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 43.6%. | ACT NOW CVE-2025-20333 9.9 A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 18.8%. | ACT NOW CVE-2025-20352 7.7 A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-10585 9.8 Google Chrome V8 JavaScript engine contains a type confusion vulnerability enabling heap corruption through crafted HTML pages, exploited in the wild in June 2025. | ACT NOW CVE-2025-26399 9.8 SolarWinds Web Help Desk contains an unauthenticated deserialization RCE via AjaxProxy, a patch bypass of both CVE-2024-28988 and CVE-2024-28986, the third iteration of this vulnerability. | EMERGENCY CVE-2025-59528 10.0 Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig parameter is parsed unsafely, allowing attackers to inject arbitrary system commands through the MCP server configuration that are executed when Flowise spawns the MCP server process. | ACT NOW CVE-2025-59689 6.1 Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-48703 9.0 CentOS Web Panel (CWP) allows unauthenticated remote code execution through OS command injection in the filemanager changePerm request's t_total parameter. | ACT NOW CVE-2025-10035 10.0 Fortra GoAnywhere MFT contains a deserialization vulnerability in the License Servlet allowing command injection through crafted license response signatures. | EMERGENCY CVE-2025-9242 9.3 WatchGuard Fireware OS contains an out-of-bounds write in IKEv2 VPN handling enabling unauthenticated remote code execution on WatchGuard firewalls. | EMERGENCY CVE-2025-52053 9.8 TOTOLINK X6000R router firmware V9.4.0cu.1360_B20241207 contains an unauthenticated command injection in the sub_417D74 function via the file_name parameter. Remote attackers can execute arbitrary commands on the router without authentication through crafted HTTP requests. | ACT NOW CVE-2025-21043 8.8 Samsung libimagecodec.quram.so contains a second out-of-bounds write in the image codec library, a separate vulnerability from CVE-2025-21042 affecting Samsung devices. | ACT NOW CVE-2025-21042 8.8 Samsung libimagecodec.quram.so contains an out-of-bounds write allowing remote code execution through crafted image files on Samsung Android devices. | ACT NOW CVE-2025-54123 9.8 Hoverfly API simulation tool version 1.11.3 and prior contains a command injection vulnerability in the middleware management endpoint /api/v2/hoverfly/middleware. Insufficient validation of user input allows authenticated attackers to execute arbitrary commands on the Hoverfly server. | EMERGENCY CVE-2025-54236 9.1 Adobe Commerce (Magento) contains an improper input validation vulnerability (CVE-2025-54236, CVSS 9.1) that enables unauthenticated session takeover with high confidentiality and integrity impact. KEV-listed with EPSS 73.7% and public PoC, this vulnerability threatens every Adobe Commerce storefront, potentially exposing customer payment data, order information, and administrative access to thousands of e-commerce sites. | ACT NOW CVE-2025-8085 8.6 The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 18.1%. | ACT NOW CVE-2025-48543 8.8 Android Chrome sandbox contains a use-after-free enabling sandbox escape and local privilege escalation to attack the Android system_server process. | ACT NOW CVE-2025-53690 9.0 Sitecore Experience Manager/Platform through version 9.0 contains a deserialization vulnerability enabling code injection through untrusted data processing. | ACT NOW CVE-2025-9377 8.6 TP-Link Archer C7 and TL-WR841N routers contain an authenticated remote command execution vulnerability in the Parental Control page, affecting end-of-life devices with no patch available. | ACT NOW CVE-2025-55177 5.4 Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | EMERGENCY CVE-2025-57819 10.0 FreePBX 15, 16, and 17 contain SQL injection vulnerabilities enabling unauthenticated access to the administrator interface, leading to database manipulation and remote code execution. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — September 26, 2025

209 CVEs tracked today. 5 Critical, 40 High, 147 Medium, 8 Low.

CVE-2025-58384 CRITICAL CVSS 10.0
In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc administration interface. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
CVE-2025-60219 CRITICAL CVSS 10.0
Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme WooCommerce Designer Pro allows Upload a Web Shell to a Web Server.9.24. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress File Upload PHP
CVE-2025-60156 CRITICAL CVSS 9.6
Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress allows Upload a Web Shell to a Web Server.98. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
CVE-2025-59934 CRITICAL CVSS 9.4
Formbricks is an open source qualtrics alternative. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-55187 CRITICAL CVSS 9.9
In DriveLock 24.1.4 before 24.1.5, 24.2.5 before 24.2.6, and 25.1.2 before 25.1.4, attackers can gain elevated privileges. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Drivelock
CVE-2025-60173 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in Ashwani kumar GST for WooCommerce allows Stored XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF XSS PHP
CVE-2025-60172 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in flytedesk Flytedesk Digital allows Stored XSS. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-60171 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in yourplugins Conditional Cart Messages for WooCommerce – YourPlugins.com allows Stored XSS.com: from n/a through 1.2.10. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF XSS PHP
CVE-2025-60170 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in Taraprasad Swain HTACCESS IP Blocker allows Stored XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-60169 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in W3S Cloud Technology W3SCloud Contact Form 7 to Zoho CRM allows Stored XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-60164 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in NewsMAN NewsmanApp allows Stored XSS.7.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-60153 HIGH CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpshuffle Subscribe To Unlock allows PHP Local File Inclusion.1.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Lfi PHP Information Disclosure
CVE-2025-60150 HIGH CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpshuffle Subscribe to Download allows PHP Local File Inclusion.0.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Lfi PHP Information Disclosure
CVE-2025-60126 HIGH CVSS 8.8
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PluginOps Testimonial Slider allows PHP Local File Inclusion.5.8.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Lfi PHP Information Disclosure
CVE-2025-60118 HIGH CVSS 8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Potenzaglobalsolutions PGS Core allows SQL Injection.9.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-60116 HIGH CVSS 8.8
Missing Authorization vulnerability in ThemeGoods Grand Conference Theme Custom Post Type allows Exploiting Incorrectly Configured Access Control Security Levels.6.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60111 HIGH CVSS 8.8
Cross-Site Request Forgery (CSRF) vulnerability in javothemes Javo Core allows Authentication Bypass.0.0.266. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass CSRF
CVE-2025-60110 HIGH CVSS 8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup AllInOne - Banner Rotator allows SQL Injection.8. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-60109 HIGH CVSS 8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LambertGroup - AllInOne - Content Slider allows Blind SQL Injection.8. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-60108 HIGH CVSS 8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Thumbnails allows Blind SQL Injection.8. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-60107 HIGH CVSS 8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Playlist allows Blind SQL Injection.8. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-60017 HIGH CVSS 8.2
Unitree Go2, G1, H1, and B2 devices through 2025-09-20 allow root OS command injection via the hostapd_restart.sh wifi_ssid or wifi_pass parameter (within restart_wifi_ap and restart_wifi_sta). Rated high severity (CVSS 8.2), this vulnerability is no authentication required. No vendor patch available.

Command Injection
CVE-2025-59845 HIGH CVSS 8.2
Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-59844 HIGH CVSS 7.7
SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Microsoft Windows
CVE-2025-59012 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shinetheme Traveler allows Reflected XSS. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-59011 HIGH CVSS 7.5
Missing Authorization vulnerability in shinetheme Traveler allows Exploiting Incorrectly Configured Access Control Security Levels. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-59010 HIGH CVSS 7.5
Insertion of Sensitive Information Into Sent Data vulnerability in Maciej Bis Permalink Manager Lite allows Retrieve Embedded Sensitive Data.5.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-59002 HIGH CVSS 7.7
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder allows Path Traversal. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
CVE-2025-58385 HIGH CVSS 7.1
In DOXENSE WATCHDOC before 6.1.0.5094, private user puk codes can be disclosed for Active Directory registered users (there is hard-coded and predictable data). Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Watchdoc
CVE-2025-56383 HIGH CVSS 8.4
Notepad++ v8.8.3 has a DLL hijacking vulnerability, which can replace the original DLL file to execute malicious code. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE
CVE-2025-55848 HIGH CVSS 8.8
An issue was discovered in DIR-823 firmware 20250416. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection D-Link Dir 823x Firmware
CVE-2025-55847 HIGH CVSS 8.8
Wavlink M86X3A_V240730 contains a buffer overflow vulnerability in the /cgi-bin/ExportAllSettings.cgi file. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow RCE Wl Wn586X3A Firmware
CVE-2025-48107 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in undsgn Uncode allows Reflected XSS. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-45994 HIGH CVSS 7.5
An issue in Aranda PassRecovery v1.0 allows attackers to enumerate valid user accounts in Active Directory via sending a crafted POST request to /user/existdirectory/1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Passrecovery
CVE-2025-36274 HIGH CVSS 7.5
IBM Aspera HTTP Gateway 2.0.0 through 2.3.1 stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Aspera Http Gateway
CVE-2025-35027 HIGH CVSS 7.3
Multiple robotic products by Unitree sharing a common firmware, including the Go2, G1, H1, and B2 devices, contain a command injection vulnerability. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection G1 Firmware Go2 Firmware H1 Firmware B2 Firmware
CVE-2025-11021 HIGH CVSS 7.5
A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Redhat Suse
CVE-2025-10858 HIGH CVSS 7.5
An issue was discovered in GitLab CE/EE affecting all versions before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that allows unauthenticated users to cause a Denial of Service (DoS) condition. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
CVE-2025-10747 HIGH CVSS 7.2
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP File Upload RCE
CVE-2025-10657 HIGH CVSS 8.7
In a hardened Docker environment, with Enhanced Container Isolation ( ECI https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isolation/ ) enabled, an administrator can. Rated high severity (CVSS 8.7), this vulnerability is low attack complexity. No vendor patch available.

Docker Privilege Escalation
CVE-2025-10544 HIGH CVSS 8.6
Unrestricted file upload vulnerability in DocAve 6.13.2, Perimeter 1.12.3, Compliance Guardian 4.7.1, and earlier versions, allowing administrator users to upload files without proper validation. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Path Traversal
CVE-2025-9958 HIGH CVSS 7.7
An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that could have allowed Guest users to access sensitive. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
CVE-2025-9642 HIGH CVSS 8.7
An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could allow an attacker to inject malicious content that. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab XSS
CVE-2025-9267 HIGH CVSS 7.0
In Seagate Toolkit on Windows a vulnerability exists in the Toolkit Installer prior to versions 2.35.0.6 where it attempts to load DLLs from the current working directory without validating their. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.

RCE Microsoft Windows
CVE-2025-4957 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss ProfileGrid allows Reflected XSS.9.5.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-60251 MEDIUM CVSS 5.0
Unitree Go2, G1, H1, and B2 devices through 2025-09-20 accept any handshake secret with the unitree substring. Rated medium severity (CVSS 5.0), this vulnerability is no authentication required. No vendor patch available.

Authentication Bypass
CVE-2025-60250 MEDIUM CVSS 4.7
Unitree Go2, G1, H1, and B2 devices through 2025-09-20 decrypt BLE packet data by using the df98b715d5c6ed2b25817b6f2554124a key and the 2841ae97419c2973296a0d4bdfe19a4f IV. Rated medium severity (CVSS 4.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-60186 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Moss Google+ Comments allows Stored XSS.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google XSS
CVE-2025-60185 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kontur.us kontur Admin Style allows Stored XSS.0.4. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60184 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry L. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60181 MEDIUM CVSS 5.4
Server-Side Request Forgery (SSRF) vulnerability in silence Silencesoft RSS Reader allows Server Side Request Forgery.6. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

SSRF
CVE-2025-60179 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Space Studio Click & Tweet allows Stored XSS.8.9. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60177 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rozx Recaptcha – wp allows Stored XSS.2.6. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60167 MEDIUM CVSS 4.3
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in honzat Page Manager for Elementor allows Retrieve Embedded Sensitive Data.0.5. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-60166 MEDIUM CVSS 4.3
Missing Authorization vulnerability in wpshuffle WP Subscription Forms PRO allows Exploiting Incorrectly Configured Access Control Security Levels.0.5. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60165 MEDIUM CVSS 4.3
Missing Authorization vulnerability in HaruTheme Frames allows Exploiting Incorrectly Configured Access Control Security Levels.5.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60163 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robin W bbp topic count allows DOM-Based XSS.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60162 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Job Board Manager allows DOM-Based XSS.1.61. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60161 MEDIUM CVSS 5.4
Server-Side Request Forgery (SSRF) vulnerability in BdThemes ZoloBlocks zoloblocks allows Server Side Request Forgery.3.11. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

SSRF
CVE-2025-60160 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sharkthemes Smart Related Products allows Stored XSS.0.5. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60159 MEDIUM CVSS 4.3
Missing Authorization vulnerability in webmaniabr Nota Fiscal Eletrônica WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.4.0.6. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress PHP
CVE-2025-60158 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webmaniabr Nota Fiscal Eletrônica WooCommerce allows Stored XSS.4.0.6. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-60157 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System allows Stored XSS.0.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60155 MEDIUM CVSS 5.3
Missing Authorization vulnerability in loopus WP Virtual Assistant allows Exploiting Incorrectly Configured Access Control Security Levels.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60154 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jennifer Moss MWW Disclaimer Buttons allows Stored XSS.41. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60152 MEDIUM CVSS 4.3
Missing Authorization vulnerability in wpshuffle Subscribe To Unlock allows Exploiting Incorrectly Configured Access Control Security Levels.1.5. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60149 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Ott Notely allows Stored XSS.8.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60148 MEDIUM CVSS 4.3
Missing Authorization vulnerability in wpshuffle Subscribe to Download allows Exploiting Incorrectly Configured Access Control Security Levels.0.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60147 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Feed allows Stored XSS.3.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60146 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Amit Verma Map Categories to Pages allows Stored XSS.3.2. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60145 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in yonifre Lenix scss compiler allows Cross Site Request Forgery.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-60144 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yonifre Lenix scss compiler allows Stored XSS.2. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60143 MEDIUM CVSS 4.3
Missing Authorization vulnerability in netgsm Netgsm allows Exploiting Incorrectly Configured Access Control Security Levels.9.58. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60142 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DaganLev Simple Meta Tags allows DOM-Based XSS.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60141 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thetechtribe The Tribal allows Stored XSS.3.3. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60140 MEDIUM CVSS 5.3
Insertion of Sensitive Information Into Sent Data vulnerability in thetechtribe The Tribal allows Retrieve Embedded Sensitive Data.3.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-60139 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Joovii Sendle Shipping allows Cross Site Request Forgery.02. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-60138 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks allows Stored XSS.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60137 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Galaxy Weblinks Post Featured Video allows Cross Site Request Forgery.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-60136 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cartpauj User Notes allows Stored XSS.0.2. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60133 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DJ-Extensions.com PE Easy Slider allows Stored XSS.1.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60130 MEDIUM CVSS 5.3
Missing Authorization vulnerability in wedos.com WEDOS Global allows Accessing Functionality Not Properly Constrained by ACLs.2.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60129 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Yext Yext allows Accessing Functionality Not Properly Constrained by ACLs.1.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60128 MEDIUM CVSS 4.3
Missing Authorization vulnerability in WP Delicious Delisho allows Exploiting Incorrectly Configured Access Control Security Levels.1.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60127 MEDIUM CVSS 5.4
Missing Authorization vulnerability in ArtistScope CopySafe Web Protection allows Exploiting Incorrectly Configured Access Control Security Levels.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60125 MEDIUM CVSS 5.3
Insertion of Sensitive Information Into Sent Data vulnerability in themelooks FoodBook allows Retrieve Embedded Sensitive Data.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-60124 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Hellyer Simple Colorbox allows Stored XSS.6.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60123 MEDIUM CVSS 4.3
Missing Authorization vulnerability in HivePress HivePress Claim Listings allows Exploiting Incorrectly Configured Access Control Security Levels.1.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60122 MEDIUM CVSS 4.3
Missing Authorization vulnerability in HivePress HivePress Claim Listings allows Exploiting Incorrectly Configured Access Control Security Levels.1.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60121 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Ex-Themes WooEvents allows Exploiting Incorrectly Configured Access Control Security Levels.1.7. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60120 MEDIUM CVSS 5.3
Missing Authorization vulnerability in wpdirectorykit WP Directory Kit allows Exploiting Incorrectly Configured Access Control Security Levels.3.8. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60119 MEDIUM CVSS 5.3
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in CoSchedule CoSchedule allows Retrieve Embedded Sensitive Data.3.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-60117 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in TangibleWP Vehica Core allows Cross Site Request Forgery.0.100. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-60115 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in instapagedev Instapage Plugin allows Cross Site Request Forgery.5.12. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-60114 MEDIUM CVSS 6.6
Improper Control of Generation of Code ('Code Injection') vulnerability in YayCommerce YayCurrency allows Code Injection.2. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
CVE-2025-60113 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in grooni Groovy Menu allows Cross Site Request Forgery.4.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-60112 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi aThemes Addons for Elementor allows Stored XSS.1.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60106 MEDIUM CVSS 4.9
Missing Authorization vulnerability in Roxnor EmailKit allows Exploiting Incorrectly Configured Access Control Security Levels.6.0. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60105 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Ditty allows Stored XSS.1.58. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60104 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jordy Meow Gallery Custom Links allows Stored XSS.2.5. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60103 MEDIUM CVSS 5.4
Missing Authorization vulnerability in CridioStudio ListingPro allows Exploiting Incorrectly Configured Access Control Security Levels.9.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60102 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syam Mohan WPFront User Role Editor allows Stored XSS.2.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60101 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Woostify Woostify allows Stored XSS.4.2. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60100 MEDIUM CVSS 5.3
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore allows Code Injection.5.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-60099 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in awsm.in Embed Any Document allows Stored XSS.7.7. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-60098 MEDIUM CVSS 6.5
Missing Authorization vulnerability in Jeff Farthing Theme My Login allows Exploiting Incorrectly Configured Access Control Security Levels.1.12. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60097 MEDIUM CVSS 5.4
Missing Authorization vulnerability in CodexThemes TheGem allows Exploiting Incorrectly Configured Access Control Security Levels.10.5. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60096 MEDIUM CVSS 5.4
Missing Authorization vulnerability in CodexThemes TheGem (Elementor) allows Exploiting Incorrectly Configured Access Control Security Levels.10.5. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60095 MEDIUM CVSS 4.3
Insertion of Sensitive Information Into Sent Data vulnerability in Benjamin Intal Stackable allows Retrieve Embedded Sensitive Data.18.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-60094 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Benjamin Intal Stackable allows Exploiting Incorrectly Configured Access Control Security Levels.18.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-60093 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Shahjada Download Manager allows Cross Site Request Forgery.3.24. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-60092 MEDIUM CVSS 5.3
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager allows Retrieve Embedded Sensitive Data.3.24. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-60040 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fkrauthan wp-mpdf allows Stored XSS.9.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-59843 MEDIUM CVSS 6.9
Flag Forge is a Capture The Flag (CTF) platform. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Flagforge
CVE-2025-59362 MEDIUM CVSS 4.0
Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Stack Overflow Squid Redhat Suse
CVE-2025-58919 MEDIUM CVSS 5.3
Missing Authorization vulnerability in guihom Wide Banner allows Exploiting Incorrectly Configured Access Control Security Levels.0.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-58917 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nick Verwymeren Quantities and Units for WooCommerce allows Stored XSS.0.13. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-58914 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Di Themes Di Themes Demo Site Importer allows Cross Site Request Forgery.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
CVE-2025-57692 MEDIUM CVSS 6.8
PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitrary JavaScript in another user s browser. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Piranha Cms
CVE-2025-57292 MEDIUM CVSS 6.1
Todoist v8484 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload functionality. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Todoist
CVE-2025-56463 MEDIUM CVSS 6.8
Mercusys MW305R 3.30 and below is has a Transport Layer Security (TLS) certificate private key disclosure. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mw305R Firmware
CVE-2025-54831 MEDIUM CVSS 6.5
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Airflow
CVE-2025-48326 MEDIUM CVSS 6.5
Missing Authorization vulnerability in Acclectic Media Acclectic Media Organizer allows Exploiting Incorrectly Configured Access Control Security Levels.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-27006 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeplugs Authorsy allows Stored XSS.0.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-26258 MEDIUM CVSS 6.1
Sourcecodester Employee Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via 'Add Designation.'. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Employee Management System
CVE-2025-11060 MEDIUM CVSS 5.7
A flaw was found in the live query subscription mechanism of the database engine. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Redhat
CVE-2025-11048 MEDIUM CVSS 5.3
A security vulnerability has been detected in Portabilis i-Educar up to 2.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure I Educar
CVE-2025-11047 MEDIUM CVSS 5.3
A weakness has been identified in Portabilis i-Educar up to 2.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure I Educar
CVE-2025-11046 MEDIUM CVSS 6.9
A security flaw has been discovered in Tencent WeKnora 0.1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Weknora
CVE-2025-11045 MEDIUM CVSS 6.9
A vulnerability was identified in WAYOS LQ_04, LQ_05, LQ_06, LQ_07 and LQ_09 22.03.17. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
CVE-2025-11042 MEDIUM CVSS 4.3
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
CVE-2025-11041 MEDIUM CVSS 5.3
A vulnerability has been found in itsourcecode Open Source Job Portal 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Open Source Job Portal
CVE-2025-11040 MEDIUM CVSS 6.9
A vulnerability was detected in code-projects Hostel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Hostel Management System
CVE-2025-11039 MEDIUM CVSS 6.9
A security vulnerability has been detected in Campcodes Computer Sales and Inventory System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Computer Sales And Inventory System
CVE-2025-11038 MEDIUM CVSS 5.3
A weakness has been identified in itsourcecode Online Clinic Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Online Clinic Management System
CVE-2025-11037 MEDIUM CVSS 6.9
A security flaw has been discovered in code-projects E-Commerce Website 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi E Commerce Website
CVE-2025-11036 MEDIUM CVSS 6.9
A vulnerability was identified in code-projects E-Commerce Website 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi E Commerce Website
CVE-2025-11035 MEDIUM CVSS 5.3
A vulnerability was determined in Jinher OA 2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Jinher Oa
CVE-2025-11034 MEDIUM CVSS 5.3
A vulnerability was found in Dibo Data Decision Making System up to 2.7.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
CVE-2025-11033 MEDIUM CVSS 6.9
A vulnerability has been found in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Courseselectionsystem
CVE-2025-11032 MEDIUM CVSS 6.9
A flaw has been found in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Courseselectionsystem
CVE-2025-11031 MEDIUM CVSS 5.5
A flaw has been found in DataTables up to 1.10.13. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP Path Traversal Datatables
CVE-2025-11030 MEDIUM CVSS 6.9
A vulnerability was detected in Tutorials-Website Employee Management System up to 611887d8f8375271ce8abc704507d46340837a60. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Information Disclosure
CVE-2025-11029 MEDIUM CVSS 5.3
A weakness has been identified in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Vvveb
CVE-2025-11028 MEDIUM CVSS 5.5
A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Vvveb
CVE-2025-11027 MEDIUM CVSS 4.8
A vulnerability was identified in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Vvveb
CVE-2025-11026 MEDIUM CVSS 5.1
A vulnerability was determined in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Vvveb
CVE-2025-11025 MEDIUM CVSS 5.3
Insertion of Sensitive Information Into Sent Data vulnerability in Vimesoft Information Technologies and Software Inc. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
CVE-2025-11019 MEDIUM CVSS 4.8
A vulnerability has been found in Total.js CMS up to 19.9.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Total Js
CVE-2025-11018 MEDIUM CVSS 5.5
A flaw has been found in Four-Faith Water Conservancy Informatization Platform 1.0. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Water Conservancy Informatization
CVE-2025-11017 MEDIUM CVSS 4.8
A vulnerability was detected in OGRECave Ogre up to 14.4.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Ogre
CVE-2025-11016 MEDIUM CVSS 5.3
A security vulnerability has been detected in kalcaddle kodbox up to 1.61.09. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Path Traversal
CVE-2025-11015 MEDIUM CVSS 4.8
A weakness has been identified in OGRECave Ogre up to 14.4.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow
CVE-2025-11014 MEDIUM CVSS 4.8
A security flaw has been discovered in OGRECave Ogre up to 14.4.1.cpp of the component Image Handler. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Ogre
CVE-2025-11013 MEDIUM CVSS 4.8
A vulnerability was identified in BehaviorTree up to 4.7.0. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Behaviortree
CVE-2025-11012 MEDIUM CVSS 4.8
A vulnerability was determined in BehaviorTree up to 4.7.0. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Behaviortree
CVE-2025-11011 MEDIUM CVSS 4.8
A vulnerability was found in BehaviorTree up to 4.7.0. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available.

Denial Of Service Behaviortree
CVE-2025-11010 MEDIUM CVSS 4.8
A vulnerability has been found in vstakhov libucl up to 0.9.2. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow
CVE-2025-11000 MEDIUM CVSS 4.8
A vulnerability was determined in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open Babel Suse
CVE-2025-10999 MEDIUM CVSS 4.8
A vulnerability was found in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open Babel Suse
CVE-2025-10998 MEDIUM CVSS 4.8
A vulnerability has been found in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open Babel Suse
CVE-2025-10997 MEDIUM CVSS 4.8
A flaw has been found in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Open Babel Suse
CVE-2025-10996 MEDIUM CVSS 4.8
A vulnerability was detected in Open Babel up to 3.1.1.cpp. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Open Babel Suse
CVE-2025-10995 MEDIUM CVSS 4.8
A security vulnerability has been detected in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Open Babel Suse
CVE-2025-10994 MEDIUM CVSS 4.8
A weakness has been identified in Open Babel up to 3.1.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Open Babel Suse
CVE-2025-10993 MEDIUM CVSS 5.1
A security flaw has been discovered in MuYuCMS up to 2.7. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Code Injection Muyucms
CVE-2025-10992 MEDIUM CVSS 5.5
A vulnerability was determined in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-10989 MEDIUM CVSS 5.3
A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Ruoyi
CVE-2025-10988 MEDIUM CVSS 5.3
A vulnerability was identified in YunaiV ruoyi-vue-pro up to 2025.09. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ruoyi Vue Pro
CVE-2025-10987 MEDIUM CVSS 5.3
A vulnerability was determined in YunaiV yudao-cloud up to 2025.09. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Yudao Cloud
CVE-2025-10981 MEDIUM CVSS 5.3
A vulnerability was detected in JeecgBoot up to 3.8.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Jeecg Boot
CVE-2025-10980 MEDIUM CVSS 5.3
A security vulnerability has been detected in JeecgBoot up to 3.8.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Jeecg Boot
CVE-2025-10752 MEDIUM CVSS 4.3
The OAuth Single Sign On - SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
CVE-2025-10745 MEDIUM CVSS 5.3
The Banhammer - Monitor Site Traffic, Block Bad Users and Bots plugin for WordPress is vulnerable to Blocking Bypass in all versions up to, and including, 3.4.8. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress PHP
CVE-2025-10490 MEDIUM CVSS 4.4
The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.202 due to insufficient input sanitization. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

WordPress XSS PHP
CVE-2025-10377 MEDIUM CVSS 4.3
The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
CVE-2025-10307 MEDIUM CVSS 6.5
The Backuply - Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete backup functionality in all. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP Path Traversal RCE
CVE-2025-10180 MEDIUM CVSS 6.4
The Markdown Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'markdown' shortcode in all versions up to, and including, 0.2.1 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-10178 MEDIUM CVSS 6.4
The CM Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cmbd_featured_image' shortcode in all versions up to, and including, 1.5.2 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-10137 MEDIUM CVSS 5.4
The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress SSRF PHP
CVE-2025-10136 MEDIUM CVSS 6.4
The TweetThis Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tweetthis' shortcode in all versions up to, and including, 1.8.0 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-10037 MEDIUM CVSS 4.9
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_posts_with_internal_featured_image() function in all versions up to, and including, 5.2.7 due to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
CVE-2025-10036 MEDIUM CVSS 4.9
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_all_urls() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
CVE-2025-9985 MEDIUM CVSS 5.3
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure PHP
CVE-2025-9984 MEDIUM CVSS 5.3
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress PHP
CVE-2025-9490 MEDIUM CVSS 6.4
The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.20.6 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-9044 MEDIUM CVSS 6.4
The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple fields in versions up to, and including, 1.20.0 due to insufficient input sanitization and output. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-8906 MEDIUM CVSS 6.4
The Widgets for Tiktok Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trustindex-feed' shortcode in all versions up to, and including, 1.7.3 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-8200 MEDIUM CVSS 6.4
The Mega Elements - Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Timer widget in all versions up to, and including, 1.3.2 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-7691 MEDIUM CVSS 6.5
A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 that could have allowed a developer with. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Gitlab Privilege Escalation
CVE-2025-6396 MEDIUM CVSS 6.1
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Webbeyaz Website Design Website Software allows Cross-Site Scripting (XSS).07.14. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-1862 MEDIUM CVSS 6.7
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. Rated medium severity (CVSS 6.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Enterprise Integrator Identity Server Identity Server As Key Manager
CVE-2025-60033 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-60032 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-60031 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-60030 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-60029 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-60028 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-60027 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-60026 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-59842 LOW CVSS 2.1
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Jupyterlab
CVE-2025-50879 None
Rejected reason: DO NOT USE THIS CVE RECORD. No vendor patch available.

Information Disclosure
CVE-2025-36326 LOW CVSS 3.7
IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM Information Disclosure Cognos Controller Controller
CVE-2025-10871 LOW CVSS 3.8
An issue has been discovered in GitLab EE affecting all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Gitlab
CVE-2025-10868 LOW CVSS 3.5
An issue has been discovered in GitLab CE/EE affecting all versions from 17.4 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 where certain string conversion methods exhibit performance. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
CVE-2025-10867 LOW CVSS 3.5
An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
CVE-2025-10173 LOW CVSS 2.7
The ShopEngine Elementor WooCommerce Builder Addon - All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save(). Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress PHP
CVE-2025-5069 LOW CVSS 3.5
An issue has been discovered in GitLab CE/EE affecting all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to gain. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Gitlab
CVE-2025-1396 LOW CVSS 3.7
A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Identity Server Identity Server As Key Manager Open Banking Iam

Today's Vulnerabilities Vulnerabilities