Skip to main content
CVE-2025-46819 MEDIUM POC PATCH CISA This Month

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

Denial Of Service Redis Integer Overflow Ubuntu Debian +2
NVD GitHub
CVSS 3.1
6.3
EPSS
5.0%
Threat
4.9
CVE-2025-46818 MEDIUM POC PATCH CISA This Month

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

RCE Redis Code Injection Ubuntu Debian +2
NVD GitHub
CVSS 3.1
6.0
EPSS
3.2%
Threat
4.8
CVE-2025-60450 MEDIUM POC This Month

A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\editor\Uploader.class.php component. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.

XSS PHP Metinfo
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2021-42193 MEDIUM POC This Month

nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires.

XSS Nopcommerce
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-60452 MEDIUM POC This Month

A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the download management module, specifically in the app\system\download\admin\download_admin.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.

XSS PHP Metinfo
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-60451 MEDIUM POC This Month

A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\uploadify.class.php component, specifically in the website settings module. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.

XSS PHP Metinfo
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-60448 MEDIUM POC This Month

A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists due to insufficient validation of SVG file uploads in the /admin/media.php component, allowing attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed.

XSS PHP Emlog
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-60445 MEDIUM POC This Month

A stored Cross-Site Scripting (XSS) vulnerability has been discovered in XunRuiCMS version 4.7.1. The vulnerability exists due to insufficient validation of SVG file uploads in the dayrui/Fcms/Library/Upload.php component, allowing attackers to inject malicious JavaScript code that executes when the uploaded file is viewed.

XSS PHP Xunruicms
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-60454 MEDIUM POC This Month

A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the image management module, specifically in the app\system\img\admin\img_admin.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.

XSS PHP Metinfo
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-60453 MEDIUM POC This Month

A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the column management module, specifically in the app\system\column\admin\index.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.

XSS PHP Metinfo
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-60447 MEDIUM POC This Month

A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to persistent JavaScript execution.

XSS PHP Emlog
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-61599 MEDIUM POC This Month

Emlog is an open source website building system. A stored Cross-Site Scripting (XSS) vulnerability exists in the "Twitter"feature of EMLOG Pro 2.5.21 and below. An authenticated user with privileges to post a "Twitter" message can inject arbitrary JavaScript code. The malicious script is stored on the server and gets executed in the browser of any user, including administrators, when they click on the malicious post to view it. This issue does not currently have a fix.

XSS Emlog
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-10695 MEDIUM POC This Month

Two unauthenticated diagnostic endpoints allow arbitrary backend-initiated network connections to an attacker‑supplied destination. Both endpoints are exposed with permission => 'any', enabling unauthenticated SSRF for internal network scanning and service interaction. This issue affects OpenSupports: 4.11.0.

SSRF Opensupports
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-60449 MEDIUM POC This Month

An information disclosure vulnerability has been discovered in SeaCMS 13.1. The vulnerability exists in the admin_safe.php component located in the /btcoan/ directory. This security flaw allows authenticated administrators to scan and download not only the application’s source code but also potentially any file accessible on the server’s root directory.

Information Disclosure PHP Seacms
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-55971 MEDIUM POC This Month

TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) vulnerability via the UPnP MediaRenderer service (AVTransport:1). The device accepts unauthenticated SetAVTransportURI SOAP requests over TCP/16398 and attempts to retrieve externally referenced URIs, including attacker-controlled payloads. The blind SSRF allows for sending requests on behalf of the TV, which can be leveraged to probe for other internal or external services accessible by the device (e.g., 127.0.0.1:16XXX, LAN services, or internet targets), potentially enabling additional exploit chains.

SSRF 65c655 Firmware Android
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-54154 MEDIUM PATCH This Month

An improper authentication vulnerability has been reported to affect QNAP Authenticator. If an attacker gains physical access, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: QNAP Authenticator 1.3.1.1227 and later

Authentication Bypass Qnap Authenticator
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-61680 MEDIUM PATCH This Month

A security vulnerability in plaintext. This issue is fixed in (CVSS 6.6). Remediation should follow standard vulnerability management procedures.

Information Disclosure
NVD GitHub
CVSS 4.0
6.6
EPSS
0.1%
CVE-2025-61685 MEDIUM PATCH MAL This Month

Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for reading file contents, but this check is effectively bypassed by subsequent logic that attempts to find directory suggestions. An attacker can leverage this flaw to list the contents of arbitrary directories on the user's filesystem, including the user's home directory, exposing sensitive information about the file system's structure. This issue is fixed in version 0.13.20.

Path Traversal
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2025-52867 MEDIUM PATCH This Month

An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later

Denial Of Service Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-44012 MEDIUM PATCH This Month

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later

Denial Of Service Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-44007 MEDIUM PATCH This Month

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-44006 MEDIUM PATCH This Month

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-33040 MEDIUM PATCH This Month

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-33039 MEDIUM PATCH This Month

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-47210 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later

Denial Of Service Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-44011 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-44010 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-44009 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-44008 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Denial Of Service Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-33034 MEDIUM PATCH This Month

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

Path Traversal Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-57423 MEDIUM This Month

A SQL injection vulnerability was discovered in the /articles endpoint of MyClub 0.5, affecting the query parameters Content, GroupName, PersonName, lastUpdate, pool, and title. Due to insufficient input sanitisation, an unauthenticated remote attacker could inject arbitrary SQL commands via a crafted GET request, potentially leading to information disclosure or manipulation of the database.

SQLi Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-59829 MEDIUM PATCH This Month

A security vulnerability in Claude Code (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure Claude Code
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-53407 MEDIUM PATCH This Month

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Qnap Information Disclosure Qts Quts Hero
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-53406 MEDIUM PATCH This Month

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Qnap Information Disclosure Qts Quts Hero
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-52429 MEDIUM PATCH This Month

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Qnap Information Disclosure Qts Quts Hero
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-48730 MEDIUM PATCH This Month

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Qnap Information Disclosure Quts Hero Qts
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-43825 MEDIUM PATCH This Month

A security vulnerability in Liferay Portal 7.4.0 (CVSS 6.5) that allows sensitive user data. Remediation should follow standard vulnerability management procedures.

Information Disclosure Liferay Portal Digital Experience Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-27236 MEDIUM PATCH This Month

A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.

Authentication Bypass Ubuntu Debian Zabbix Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-9199 MEDIUM This Month

The Woo superb slideshow transition gallery with random effect plugin for WordPress is vulnerable to SQL Injection via the 'woo-superb-slideshow' shortcode in all versions up to, and including, 9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

SQLi WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-9198 MEDIUM This Month

The Wp cycle text announcement plugin for WordPress is vulnerable to SQL Injection via the 'cycle-text' shortcode in all versions up to, and including, 8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

SQLi WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-9045 MEDIUM This Month

The Easy Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in versions less than, or equal to, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9876 MEDIUM This Month

The Ird Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irdslider' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9859 MEDIUM This Month

The Fintelligence Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fintelligence-calculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9858 MEDIUM This Month

The Auto Bulb Finder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'abf_vehicle' shortcode in all versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9854 MEDIUM This Month

The A Simple Multilanguage Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'asmp-switcher' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9204 MEDIUM This Month

The X Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Youtube Video ID field in all versions up to, and including, 1.0.14. This is due to insufficient input sanitization and output escaping on the Youtube Video ID parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an affected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9077 MEDIUM This Month

The Ultra Addons Lite for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Animated Text' field of the Typeout Widget in version 1.1.9 and below due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9875 MEDIUM This Month

The Event Tickets, RSVPs, Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticket_spot' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9206 MEDIUM This Month

The Meks Easy Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title field in all version up to, and including, 2.1.4. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the map containing the malicious post.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9130 MEDIUM This Month

The Unify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin for WordPress's unify_checkout shortcode in all versions up to, and including, 3.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy