Skip to main content
CVE-2025-54326 HIGH This Week

An issue was discovered in Camera in Samsung Mobile Processor Exynos 1280 and 2200. Unnecessary registration of a hardware IP address in the Camera device driver can lead to a NULL pointer dereference, resulting in a denial of service.

Null Pointer Dereference Samsung Denial Of Service Exynos 2200 Firmware Exynos 1280 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-13086 HIGH PATCH This Week

Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client

Denial Of Service Ubuntu Debian Openvpn Red Hat +1
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-33201 HIGH This Week

NVIDIA Triton Inference Server contains a vulnerability where an attacker may cause an improper check for unusual or exceptional conditions issue by sending extra large payloads. A successful exploit of this vulnerability may lead to denial of service.

Denial Of Service Triton Inference Server
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-13645 HIGH PATCH This Week

The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Path Traversal WordPress PHP RCE Modula Image Gallery
NVD GitHub
CVSS 3.1
7.2
EPSS
1.2%
CVE-2025-13947 HIGH PATCH This Week

A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser.

Information Disclosure
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2025-13492 HIGH PATCH This Week

A potential security vulnerability has been identified in HP Image Assistant for versions prior to 5.3.3. The vulnerability could potentially allow a local attacker to escalate privileges via a race condition when installing packages.

Privilege Escalation Image Assistant
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-66478 POC Act Now

Rejected reason: This CVE is a duplicate of CVE-2025-55182. Public exploit code available and no vendor patch available.

Information Disclosure
NVD GitHub
CVE-2025-65097 MEDIUM PATCH This Month

RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by directly sending a DELETE request to the collection endpoint. No ownership verification is performed before deleting collections. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.

Authentication Bypass Romm
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13359 MEDIUM PATCH This Month

The Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database granted they have metabox access for the taxonomy (enabled by default for contributors).

WordPress SQLi Taxopress PHP
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-65345 MEDIUM This Month

alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The zip/archiving functionality allows an attacker to create archives containing files and directories outside the intended scope due to improper path validation.

Path Traversal Laravel File Manager
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-61727 MEDIUM PATCH This Month

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Information Disclosure Ubuntu Debian Go Red Hat +1
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13448 MEDIUM This Month

The CSSIgniter Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' shortcode attribute in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13401 MEDIUM This Month

The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attributes in the "create_img_preload_tag" function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-29864 MEDIUM PATCH This Month

A security vulnerability in ESTsoft ALZip on Windows allows SmartScreen bypass (CVSS 6.2). Remediation should follow standard vulnerability management procedures.

Microsoft Authentication Bypass Windows
NVD
CVSS 4.0
6.2
EPSS
0.0%
CVE-2025-63402 MEDIUM This Month

An issue in HCL Technologies Limited HCLTech GRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via APIs do not enforcing limits on the number or size of requests

RCE Denial Of Service Dragon
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2025-63401 MEDIUM This Month

Cross Site Scripting vulnerability in HCL Technologies Limited HCLTech DRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via missing directives

XSS RCE Dragon
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2025-66453 MEDIUM PATCH This Month

Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-13751 MEDIUM PATCH This Month

Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.

Microsoft Denial Of Service Debian Openvpn Red Hat +1
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-20381 MEDIUM PATCH This Month

In Splunk MCP Server app versions below 0.2.4, a user with access to the "run_splunk_query" Model Context Protocol (MCP) tool could bypass the SPL command allowlist controls in MCP by embedding SPL commands as sub-searches, leading to unauthorized actions beyond the intended MCP restrictions.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-12887 MEDIUM This Month

A security vulnerability in for WordPress is vulnerable to authorization bypass in all (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-10304 MEDIUM This Month

A security vulnerability in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-53965 MEDIUM This Month

An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. The function used to decode the SOR transparent container lacks bounds checking, which can cause a fatal error.

Buffer Overflow Samsung Modem 5300 Firmware Exynos 2200 Firmware Exynos 1280 Firmware +15
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-20384 MEDIUM PATCH This Month

A security vulnerability in Splunk Enterprise (CVSS 5.3) that allows them. Remediation should follow standard vulnerability management procedures.

Information Disclosure Splunk Splunk Cloud Platform
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-39665 MEDIUM PATCH This Month

CVE-2025-39665 is a security vulnerability (CVSS 5.3) that allows an unauthenticated attacker. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Ubuntu Debian Nagvis
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12585 MEDIUM This Month

The MxChat - AI Chatbot for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 via upload filenames. This makes it possible for unauthenticated attackers to extract session values that can subsequently be used to access conversation data.

WordPress Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12084 MEDIUM PATCH This Month

CVE-2025-12084 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Ubuntu Debian Python Red Hat +1
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13472 MEDIUM PATCH This Month

A remote code execution vulnerability in BlazeMeter Jenkins Plugin (CVSS 5.3) that allows users only with certain permissions. Remediation should follow standard vulnerability management procedures.

Authentication Bypass Jenkins
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-66406 MEDIUM PATCH This Month

A security vulnerability in Step CA (CVSS 5.0). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Red Hat Suse
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-13495 MEDIUM This Month

The FluentCart plugin for WordPress is vulnerable to SQL Injection via the 'groupKey' parameter in all versions up to, and including, 1.3.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

WordPress SQLi PHP
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-13992 MEDIUM PATCH This Month

Side-channel information leakage in Navigation and Loading in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Ubuntu Debian Chrome +2
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-20389 MEDIUM PATCH This Month

In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS).

Denial Of Service Splunk Splunk Secure Gateway Splunk Cloud Platform
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-20383 MEDIUM PATCH This Month

In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description of the report or alert even if they do not have access to view the report or alert.

Information Disclosure Splunk Splunk Secure Gateway Splunk Cloud Platform
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-65096 MEDIUM PATCH This Month

RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership verification or checking if the collection is public/private before returning collection data. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.

Authentication Bypass Romm
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13756 MEDIUM This Month

A security vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13354 MEDIUM PATCH This Month

The Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "taxopress_merge_terms_batch" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms.

Authentication Bypass WordPress Taxopress PHP
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13109 MEDIUM This Month

A remote code execution vulnerability in for WordPress is vulnerable to Insecure Direct Object Reference in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12358 MEDIUM This Month

The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the "post_add_to_list" function as well as an incorrect permissions callback in the "Api/init" function. This makes it possible for unauthenticated attackers to add or remove products from a user's wishlist via a forged request granted they can trick a site's user into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64763 LOW PATCH Monitor

Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel.

Information Disclosure Debian
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-20382 LOW PATCH Monitor

In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

Open Redirect Splunk
NVD
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-13948 LOW Monitor

A security vulnerability in opsre go-ldap-admin (CVSS 5.6). Remediation should follow standard vulnerability management procedures.

Docker Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-20388 LOW PATCH Monitor

In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment.

SSRF Splunk
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-12954 LOW PATCH Monitor

A security vulnerability in Timetable and Event Schedule by MotoPress WordPress (CVSS 2.7). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress PHP
NVD WPScan
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-20385 LOW PATCH Monitor

In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user.

XSS Splunk
NVD
CVSS 3.1
2.4
EPSS
0.0%
CVE-2025-13949 LOW Monitor

A vulnerability was identified in ProudMuBai GoFilm 1.0.0/1.0.1. Impacted is the function SingleUpload of the file /server/controller/FileController.go. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

File Upload Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy