Skip to main content
CVE-2025-40547 CRITICAL This Week

A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Serv U Windows
NVD
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-40545 MEDIUM Monitor

SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. Rated medium severity (CVSS 4.8). No vendor patch available.

Open Redirect Observability Self Hosted
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-26391 MEDIUM This Month

SolarWinds Observability Self-Hosted XSS Vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is low attack complexity. No vendor patch available.

XSS Observability Self Hosted
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-13088 HIGH This Month

The Category and Product Woocommerce Tabs plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress LFI PHP Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-12962 MEDIUM This Month

The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the `url` parameter in the `[syndicate_local]` shortcode. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SSRF PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12961 MEDIUM Monitor

The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wp_ajax_save_settings' AJAX action in all versions up to, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12937 MEDIUM This Month

The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acf_flm_update_template_with_pasted_layout' function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-12827 MEDIUM Monitor

The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12823 MEDIUM This Month

The CSV to SortTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csv' shortcode in all versions up to, and including, 4.2 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-12775 HIGH This Month

The WP Dropzone plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 1.1.0 via the `ajax_upload_handle` function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload RCE WordPress PHP
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-12528 HIGH This Month

The Pie Forms for WP plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.6 via the format_classic function. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

File Upload RCE WordPress PHP
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-12406 MEDIUM This Month

The Project Honey Pot Spam Trap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-12404 MEDIUM This Month

The Like-it plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-12372 MEDIUM Monitor

The Permalinks Cascade plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12173 MEDIUM Monitor

The WP Admin Microblog plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12078 MEDIUM This Month

The ArtiBot Free Chat Bot for WebSites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.1.7 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-11868 MEDIUM This Month

The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `everviz` shortcode attributes in versions up to, and including, 1.1. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-11620 HIGH This Month

The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpu_add_multiple_roles_ui' and. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-8727 HIGH This Month

There is a vulnerability in the Supermicro BMC web function at Supermicro MBD-X13SEDW-F. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Stack Overflow Buffer Overflow
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-8404 MEDIUM This Month

Stack buffer overflow vulnerability exists in the Supermicro BMC Shared library. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Stack Overflow Buffer Overflow RCE
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-8076 HIGH This Month

There is a vulnerability in the Supermicro BMC web function at Supermicro MBD-X13SEDW-F. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Stack Overflow Buffer Overflow
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-11267 MEDIUM This Month

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_veu_custom_css' parameter in all versions up to, and including, 9.112.1. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-11265 MEDIUM This Month

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text' parameters in all versions up to, and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-10089 HIGH This Month

Uncontrolled Search Path Element Vulnerability in Setting and Operation Application for Lighting Control System MILCO.S Setting Application all versions, MILCO.S Setting Application (IR) all. Rated high severity (CVSS 7.7), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-7623 MEDIUM This Month

Stack-based buffer overflow in the SMASH-CLP shell. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Stack Overflow Buffer Overflow RCE
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-12524 MEDIUM This Month

The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-48593 HIGH This Month

In bta_hf_client_cb_init of bta_hf_client_main.cc, there is a possible remote code execution due to a use after free. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Denial Of Service RCE Use After Free Android +1
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-64734 LOW Monitor

Missing Release of Resource after Effective Lifetime (CWE-772) in the T21 Reader allows an attacker with physical access to the Reader to perform a denial-of-service attack against that specific. Rated low severity (CVSS 2.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
2.4
EPSS
0.0%
CVE-2025-52578 MEDIUM This Month

Incorrect Usage of Seeds in Pseudo-Random Number Generator (CWE- 335) vulnerability in the High Sec ELM may allow a sophisticated attacker with physical access, to compromise internal device. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-52457 MEDIUM This Month

Observable Timing Discrepancy (CWE-208) in HBUS devices may allow an attacker with physical access to the device to extract device-specific keys, potentially compromising further site security.30. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-12974 HIGH This Month

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

File Upload PHP RCE WordPress
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-8693 HIGH This Month

A post-authentication command injection vulnerability in the "priv" parameter of Zyxel DX3300-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an authenticated attacker to execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Zyxel Dm4200 B0 Firmware Dx3300 T0 Firmware Dx3300 T1 Firmware +51
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6599 MEDIUM This Month

An uncontrolled resource consumption vulnerability in the web server of Zyxel DX3301-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an attacker to perform Slowloris‑style. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Zyxel Lte3301 Plus Firmware Nr5103 Firmware Nr5103E Firmware +63
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12792 LOW Monitor

The Mac App Store distribution of the Canva for Mac desktop app before 1.117.1 was built without Hardened Runtime. Rated low severity (CVSS 3.2), this vulnerability is low attack complexity. No vendor patch available.

RCE Privilege Escalation
NVD
CVSS 3.1
3.2
EPSS
0.0%
CVE-2025-13230 HIGH This Month

Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Google Information Disclosure Chrome Red Hat
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-13229 HIGH This Month

Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Google Information Disclosure Chrome Red Hat
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-13228 HIGH This Month

Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Google Information Disclosure Chrome Red Hat
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-13227 HIGH This Month

Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Google Information Disclosure Chrome Red Hat
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-13226 HIGH This Month

Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Google Information Disclosure Chrome Red Hat
NVD
CVSS 3.1
8.8
EPSS
0.1%
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy