Skip to main content
CVE-2025-59298 HIGH PATCH This Week

Delta Electronics DIAScreen lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process.

Buffer Overflow Memory Corruption Diascreen
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-59297 HIGH PATCH This Week

Delta Electronics DIAScreen lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process.

Buffer Overflow Memory Corruption Diascreen
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-11223 HIGH This Week

A security vulnerability in Installer of Panasonic AutoDownloader version 1.2.8 (CVSS 7.8). High severity vulnerability requiring prompt remediation.

Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-61679 HIGH PATCH This Week

Anyquery is an SQL query engine built on top of SQLite. Versions 0.4.3 and below allow attackers who have already gained access to localhost, even with low privileges, to use the http server through the port unauthenticated, and access private integration data like emails, without any warning of a foreign login from the provider. This issue is fixed in version 0.4.4.

Information Disclosure
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-52656 HIGH This Week

HCL MyXalytics: 6.6.  is affected by Mass Assignment vulnerability. Mass Assignment occurs when user input is automatically bound to application objects without proper validation or access controls, potentially allowing unauthorized modification of sensitive fields.

Information Disclosure Dryice Myxalytics
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-52653 HIGH This Week

HCL MyXalytics product is affected by Cross Site Scripting vulnerability in the web application. This can allow the execution of unauthorized scripts, potentially resulting in unauthorized actions or access.

XSS Dryice Myxalytics
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-9212 HIGH This Week

The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The directory does have an .htaccess file which limits the ability to achieve remote code execution.

RCE File Upload WordPress PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-11234 HIGH POC PATCH This Week

A flaw was found in QEMU.

Denial Of Service Memory Corruption Use After Free
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-61590 HIGH PATCH This Week

Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (RCE) attacks through Visual Studio Code Workspaces. Workspaces allow users to open more than a single folder and save specific settings (pretty similar to .vscode/settings.json) for the folders / project. An untitled workspace is automatically created by VS Code (untitled.code-workspace), which contains all the folders and workspace settings from the user's current session, opening up an entire new attack vector if the user has a .code-workspace file in path (either untitled created automatically or a saved one). If an attacker is able to hijack the chat context of the victim (such as via a compromised MCP server), they can use prompt injection to make the Cursor Agent write into this file and modify the workspace. This leads to a bypass of CVE-2025-54130 which can lead to RCE by writing to the settings section. This issue is fixed in version 1.7.

RCE Code Injection Cursor
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9200 HIGH This Week

The Blappsta Mobile App Plugin - Your native, mobile iPhone App and Android App plugin for WordPress is vulnerable to SQL Injection via the nh_ynaa_comments() function in all versions up to, and including, 0.8.8.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

SQLi WordPress Android PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-27237 HIGH PATCH This Week

In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL.

Privilege Escalation OpenSSL Ubuntu Debian Windows
NVD
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-47212 HIGH PATCH This Week

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Qnap Command Injection Qts Quts Hero
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-34226 HIGH This Week

OpenPLC Runtime v3 contains an input validation flaw in the /upload-program-action endpoint: the epoch_time field supplied during program uploads is not validated and can be crafted to induce corruption of the programs database. After a successful malformed upload the runtime continues to operate until a restart; on restart the runtime can fail to start because of corrupted database entries, resulting in persistent denial of service requiring complete rebase of the product to recover. This vulnerability was remediated by commit 095ee09.

Denial Of Service
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2025-61593 HIGH This Week

Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI Agent protects its sensitive files (i.e. */.cursor/cli.json) allows attackers to modify the content of the files through prompt injection, thus achieving remote code execution. A prompt injection can lead to full RCE through modifying sensitive files on case-insensitive filesystems. This issue is fixed in a commit, 25b418f, but has yet to be released as of October 3, 2025.

RCE Code Injection Cursor
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-10692 HIGH This Week

The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user (level ≥ 1) can inject SQL to alter the filter logic, effectively bypassing department scoping and disclosing tickets beyond their intended access.This issue affects OpenSupports: 4.11.0.

SQLi
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2025-54154 MEDIUM PATCH This Month

An improper authentication vulnerability has been reported to affect QNAP Authenticator. If an attacker gains physical access, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: QNAP Authenticator 1.3.1.1227 and later

Authentication Bypass Qnap Authenticator
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-61680 MEDIUM PATCH This Month

A security vulnerability in plaintext. This issue is fixed in (CVSS 6.6). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD GitHub
CVSS 4.0
6.6
EPSS
0.1%
CVE-2025-61685 MEDIUM PATCH MAL This Month

Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for reading file contents, but this check is effectively bypassed by subsequent logic that attempts to find directory suggestions. An attacker can leverage this flaw to list the contents of arbitrary directories on the user's filesystem, including the user's home directory, exposing sensitive information about the file system's structure. This issue is fixed in version 0.13.20.

Path Traversal
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2025-52867 MEDIUM PATCH This Month

An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later

Denial Of Service Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-44012 MEDIUM PATCH This Month

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later

Denial Of Service Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-44007 MEDIUM PATCH This Month

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-44006 MEDIUM PATCH This Month

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-33040 MEDIUM PATCH This Month

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-33039 MEDIUM PATCH This Month

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-47210 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later

Denial Of Service Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-44011 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-44010 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-44009 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-44008 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-33034 MEDIUM PATCH This Month

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Path Traversal Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-57423 MEDIUM This Month

A SQL injection vulnerability was discovered in the /articles endpoint of MyClub 0.5, affecting the query parameters Content, GroupName, PersonName, lastUpdate, pool, and title. Due to insufficient input sanitisation, an unauthenticated remote attacker could inject arbitrary SQL commands via a crafted GET request, potentially leading to information disclosure or manipulation of the database.

SQLi Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-59829 MEDIUM PATCH This Month

A security vulnerability in Claude Code (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure Claude Code
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-53407 MEDIUM PATCH This Month

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Qnap Information Disclosure Qts Quts Hero
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-53406 MEDIUM PATCH This Month

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Qnap Information Disclosure Qts Quts Hero
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-52429 MEDIUM PATCH This Month

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Qnap Information Disclosure Qts Quts Hero
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-48730 MEDIUM PATCH This Month

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Qnap Information Disclosure Quts Hero Qts
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-43825 MEDIUM PATCH This Month

A security vulnerability in Liferay Portal 7.4.0 (CVSS 6.5) that allows sensitive user data. Remediation should follow standard vulnerability management procedures.

Information Disclosure Liferay Portal Digital Experience Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-27236 MEDIUM PATCH This Month

A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.

Authentication Bypass Ubuntu Debian Zabbix Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-9199 MEDIUM This Month

The Woo superb slideshow transition gallery with random effect plugin for WordPress is vulnerable to SQL Injection via the 'woo-superb-slideshow' shortcode in all versions up to, and including, 9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

SQLi WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-9198 MEDIUM This Month

The Wp cycle text announcement plugin for WordPress is vulnerable to SQL Injection via the 'cycle-text' shortcode in all versions up to, and including, 8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

SQLi WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-9045 MEDIUM This Month

The Easy Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in versions less than, or equal to, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9876 MEDIUM This Month

The Ird Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irdslider' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9859 MEDIUM This Month

The Fintelligence Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fintelligence-calculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9858 MEDIUM This Month

The Auto Bulb Finder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'abf_vehicle' shortcode in all versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9854 MEDIUM This Month

The A Simple Multilanguage Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'asmp-switcher' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9204 MEDIUM This Month

The X Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Youtube Video ID field in all versions up to, and including, 1.0.14. This is due to insufficient input sanitization and output escaping on the Youtube Video ID parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an affected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9077 MEDIUM This Month

The Ultra Addons Lite for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Animated Text' field of the Typeout Widget in version 1.1.9 and below due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9875 MEDIUM This Month

The Event Tickets, RSVPs, Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticket_spot' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9206 MEDIUM This Month

The Meks Easy Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title field in all version up to, and including, 2.1.4. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the map containing the malicious post.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9130 MEDIUM This Month

The Unify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin for WordPress's unify_checkout shortcode in all versions up to, and including, 3.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy