Skip to main content
CVE-2025-64996 MEDIUM Monitor

In Checkmk versions prior to 2.4.0p16, 2.3.0p41, and all versions of 2.2.0 and older, the mk_inotify plugin creates world-readable and writable files, allowing any local user on the system to read. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Checkmk
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-63800 HIGH POC This Month

The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Brute Force Open Source Point Of Sale
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-63604 MEDIUM POC This Week

A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the execute_query method. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE Authentication Bypass Python Aws Resources Mcp Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-63603 MEDIUM POC This Week

A command injection vulnerability exists in the MCP Data Science Server's (reading-plus-ai/mcp-server-data-exploration) 0.1.6 in the safe_eval() function (src/mcp_server_ds/server.py:108). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Python Mcp Server For Data Exploration
NVD GitHub
CVSS 3.1
6.5
EPSS
2.7%
CVE-2025-63602 HIGH POC This Month

A vulnerability was discovered in Awesome Miner thru 11.2.4 that allows arbitrary read and write to kernel memory and MSRs (such as LSTAR) as an unprivileged user. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Denial Of Service Buffer Overflow Privilege Escalation Awesome Miner
NVD
CVSS 3.1
7.3
EPSS
0.2%
CVE-2025-63408 HIGH POC This Month

Local Agent DVR versions thru 6.6.1.0 are vulnerable to directory traversal that allows an unauthenticated local attacker to gain access to sensitive information, cause a server-side forgery request. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal SSRF Agent Dvr
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-58122 MEDIUM This Month

Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Checkmk
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-58121 MEDIUM This Month

Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Checkmk
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-55074 LOW PATCH Monitor

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member. Rated low severity (CVSS 3.0), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Mattermost Server
NVD
CVSS 3.1
3.0
EPSS
0.0%
CVE-2025-12383 CRITICAL PATCH This Week

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Authentication Bypass Jersey
NVD
CVSS 4.0
9.4
EPSS
0.1%
CVE-2025-9312 CRITICAL This Week

A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Api Control Plane Api Manager Identity Server Identity Server As Key Manager +5
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-8084 MEDIUM This Month

The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.8 via the rest_helpers_create_images function. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SSRF PHP
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-63883 MEDIUM POC This Month

A DOM-based cross-site scripting vulnerability exists in electic-shop v1.0 (Bhabishya-123/E-commerce). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS E Commerce
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-59117 MEDIUM Monitor

Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Windu Cms
NVD
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-59116 MEDIUM This Month

Windu CMS is vulnerable to User Enumeration. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Windu Cms
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-59115 MEDIUM This Month

Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Windu Cms
NVD
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-59114 MEDIUM This Month

Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Windu Cms
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-59113 MEDIUM This Month

Windu CMS implements weak client-side brute-force protection by using parameter loginError. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Windu Cms
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-59112 MEDIUM This Month

Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Windu Cms
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-59111 MEDIUM This Month

Windu CMS is vulnerable to Broken Access Control in user editing functionality. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Windu Cms
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-59110 MEDIUM This Month

Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Windu Cms
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2025-55179 MEDIUM This Month

Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apple Information Disclosure Whatsapp Whatsapp Business iOS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-12545 MEDIUM This Month

The Pixel Manager for WooCommerce - Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Google Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-12376 MEDIUM This Month

The Icon List Block - Add Icon-Based Lists with Custom Styles plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1 via the fs_api_request. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SSRF PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-10158 MEDIUM PATCH Monitor

A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-6670 HIGH This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Api Control Plane Api Manager Enterprise Integrator Identity Server +5
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-41350 MEDIUM This Month

Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Winplus
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-41349 MEDIUM This Month

Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Winplus
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-41348 HIGH This Month

SQL injection vulnerability in WinPlus v24.11.27 by Informática del Este. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Winplus
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-41737 HIGH This Month

Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Authentication Bypass Ewio2 M Firmware Ewio2 M Bm Firmware Ewio2 Bm Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-41736 HIGH This Month

A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal PHP RCE Python Ewio2 M Firmware +2
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-41735 HIGH This Month

A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload RCE Ewio2 M Firmware Ewio2 M Bm Firmware Ewio2 Bm Firmware
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-41734 CRITICAL This Week

An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure Ewio2 M Firmware Ewio2 M Bm Firmware +1
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-41733 CRITICAL This Week

The commissioning wizard on the affected devices does not validate if the device is already initialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ewio2 M Firmware Ewio2 M Bm Firmware Ewio2 Bm Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-41347 HIGH This Month

Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Informática del Este. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Winplus
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-4212 HIGH This Month

The Checkout Files Upload for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.2.1 due to insufficient input. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-41346 CRITICAL This Week

Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Winplus
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-13196 MEDIUM This Month

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Open Street Map widget's marker content parameter in all versions up to, and including,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-13133 MEDIUM This Month

The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE PHP
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-12955 HIGH This Month

The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-12691 MEDIUM This Month

The Photonic Gallery & Lightbox for Flickr, SmugMug & Others plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightbox functionality in all versions up to, and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-12639 MEDIUM Monitor

The wModes - Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.2.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-12481 MEDIUM Monitor

The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12088 MEDIUM This Month

The Meta Display Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Meta Display Block in all versions up to, and including, 1.0.0 due to insufficient input sanitization. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-11734 MEDIUM This Month

The Broken Link Checker by AIOSEO - Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-9625 MEDIUM Monitor

The Coil Web Monetization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-8609 MEDIUM This Month

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion Block's attributes in all versions up to, and including, 1.6.1 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-8605 MEDIUM This Month

The Gutenify - Visual Site Builder Blocks & Site Templates. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-40549 CRITICAL PATCH This Week

A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Microsoft Serv U Windows
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-40548 CRITICAL PATCH This Week

A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Microsoft Privilege Escalation Serv U Windows
NVD
CVSS 3.1
9.1
EPSS
0.1%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy