156 CVEs tracked today. 14 Critical, 51 High, 90 Medium, 1 Low.
-
CVE-2026-21675
CRITICAL
CVSS 9.8
iccDEV ICC color profile library (through 2.3.1) has a use-after-free in CIccXform::Create() when processing hint objects. Processing a malicious ICC profile can lead to code execution. PoC available, fixed in 2.3.1.1.
Use After Free
Iccdev
-
CVE-2025-65212
CRITICAL
CVSS 9.8
NJHYST HY511 POE core (before 2.1) allows unauthenticated download of the configuration file containing usernames and self-decrypted MD5 passwords, due to insufficient cookie verification. PoC available.
Authentication Bypass
Hy511 Firmware
-
CVE-2025-60534
CRITICAL
CVSS 9.8
Blue Access Cobalt v02.000.195 has an authentication bypass through selective request proxying. Attackers can manipulate proxy behavior to access web application functions without legitimate credentials.
Authentication Bypass
Cobalt X1
-
CVE-2025-60262
CRITICAL
CVSS 9.8
H3C wireless controllers (M102G) and access points (BA1500L) have a vsftpd misconfiguration that grants root ownership to anonymously uploaded FTP files. Attackers can upload malicious files that execute with root privileges, gaining full device control.
Privilege Escalation
Mc102 G Firmware
Magic Ba1500l Firmware
-
CVE-2025-39477
CRITICAL
CVSS 9.8
InWave Jobs WordPress plugin (through 3.5.8) has missing authorization allowing unauthenticated access to restricted functionality. The maximum CVSS score indicates complete compromise of confidentiality, integrity, and availability.
Authentication Bypass
-
CVE-2025-30996
CRITICAL
CVSS 9.9
Multiple Themify WordPress themes (Sidepane, Newsy, Folo, Edmin, Bloggie, Photobox, Wigi, Rezo, Slide) allow authenticated users to upload web shells. Low privileges sufficient, scope change to OS-level code execution. Affects 9 themes simultaneously.
WordPress
PHP
-
CVE-2025-15444
CRITICAL
CVSS 9.8
Crypt::Sodium::XS for Perl bundles a vulnerable version of libsodium (<= 1.0.20) that has a signature verification flaw. In atypical use cases with custom cryptography, this can compromise data authenticity guarantees. Patch available.
Information Disclosure
Redhat
Suse
-
CVE-2025-15385
CRITICAL
CVSS 9.8
TECNO Mobile's Boomplayer app (v7.4.63) has insufficient data authenticity verification allowing authentication bypass. A pre-installed app vulnerability affecting TECNO phone users.
Authentication Bypass
Boomplay
-
CVE-2025-15001
CRITICAL
CVSS 9.8
FS Registration Password plugin for WordPress (through 1.0.1) allows unauthenticated password resets for any user. Same vulnerability class as CVE-2025-14996 (AS Password Field) – missing identity verification before password change.
WordPress
Privilege Escalation
PHP
-
CVE-2025-14996
CRITICAL
CVSS 9.8
AS Password Field plugin for WordPress (through 2.0.0) allows unauthenticated password resets for any user without identity verification. Like CVE-2025-14998 (Branda), this enables immediate administrator account takeover.
WordPress
Privilege Escalation
PHP
-
CVE-2025-14942
CRITICAL
CVSS 9.8
wolfSSH through 1.4.21 has a key exchange state machine vulnerability that can leak client passwords in cleartext, trick clients into sending bogus signatures, or skip user authentication entirely. A fundamental protocol implementation flaw.
Authentication Bypass
Wolfssh
-
CVE-2020-36925
CRITICAL
CVSS 9.8
Arteco DVR/NVR web client uses session IDs with insufficient complexity, allowing brute-force attacks to hijack active sessions and access live camera streams without authentication. PoC available.
Authentication Bypass
-
CVE-2020-36923
CRITICAL
CVSS 9.8
Sony BRAVIA Digital Signage 1.7.8 has an IDOR vulnerability that allows attackers to access hidden system resources like /#/content-creation by bypassing client-side access restrictions. PoC available.
Authentication Bypass
Bravia Signage
-
CVE-2020-36912
CRITICAL
CVSS 9.8
Plexus Digital Signage Management 3.1.13 has an open redirect via the 'pagina' parameter in the PantallaLogin script. While typically a medium-severity issue, the CVSS 9.8 rating suggests broader exploitation potential through chaining with other vulnerabilities in the signage platform.
Open Redirect
-
CVE-2026-21677
HIGH
CVSS 8.8
iccDEV color management library versions 2.3.1 and earlier contain undefined behavior in the CLUT initialization function that can be exploited remotely without authentication to achieve code execution, information disclosure, or denial of service. Public exploit code exists for this vulnerability which affects all users of the vulnerable library versions. A patch is available in version 2.3.1.1 and should be applied immediately.
Code Injection
Iccdev
-
CVE-2026-21676
HIGH
CVSS 8.8
Heap buffer overflow in iccDEV versions 2.3.1 and earlier allows remote attackers to execute arbitrary code or crash the application through malformed ICC color profile data processed by the CIccMBB::Validate function. Public exploit code exists for this vulnerability, which affects all users handling untrusted color profiles. Upgrade to version 2.3.1.1 or later to remediate.
Buffer Overflow
Heap Overflow
Iccdev
-
CVE-2026-21673
HIGH
CVSS 7.8
Integer overflow in iccDEV's CIccXmlArrayType::ParseTextCountNum() function allows local attackers with user interaction to achieve arbitrary code execution through maliciously crafted ICC color profile files. The vulnerability affects iccDEV versions 2.3.1 and below, impacting users who process untrusted color profiles. Public exploit code exists for this vulnerability, and a patch is available in version 2.3.1.1.
Integer Overflow
Iccdev
-
CVE-2026-21507
HIGH
CVSS 7.5
iccDEV ICC color profile processing library versions 2.3.1 and below contain an infinite loop in the CalcProfileID function that allows unauthenticated remote attackers to cause denial of service. Public exploit code exists for this vulnerability, and affected systems should upgrade to version 2.3.1.1 or later to remediate the issue.
Denial Of Service
Iccdev
-
CVE-2026-21486
HIGH
CVSS 7.8
iccDEV versions 2.3.1.1 and earlier are vulnerable to use-after-free, heap buffer overflow, and integer overflow flaws in the CIccSparseMatrix function, allowing local attackers with user interaction to achieve arbitrary code execution. The vulnerability affects all systems using vulnerable iccDEV libraries for ICC color profile processing and is resolved in version 2.3.1.2.
Buffer Overflow
Heap Overflow
Use After Free
Integer Overflow
Iccdev
-
CVE-2026-21485
HIGH
CVSS 8.8
iccDEV ICC color profile libraries versions 2.3.1.1 and earlier suffer from undefined behavior and out-of-memory errors that can be exploited remotely without authentication to achieve code execution or denial of service. Public exploit code exists for this vulnerability, affecting users who have not upgraded to version 2.3.1.2 or later. An attacker can trigger memory corruption through specially crafted ICC profile inputs with user interaction.
Code Injection
Iccdev
-
CVE-2026-21411
HIGH
CVSS 8.8
OpenBlocks firmware versions before 5.0.8 contain an authentication bypass vulnerability that allows unauthenticated attackers on adjacent networks to gain administrator access and reset passwords without valid credentials. This high-severity flaw affects all OpenBlocks series devices and requires no user interaction to exploit, though no patch is currently available.
Authentication Bypass
-
CVE-2026-0640
HIGH
CVSS 8.8
Buffer overflow in Tenda AC23 firmware version 16.03.07.52 allows remote attackers with low privileges to achieve complete system compromise through a malformed Time parameter in the /goform/PowerSaveSet function. Public exploit code exists for this vulnerability, creating immediate risk to affected devices. No patch is currently available.
Buffer Overflow
Ac23 Firmware
-
CVE-2026-0607
HIGH
CVSS 7.3
Online Music Site versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).
PHP
SQLi
Online Music Site
-
CVE-2025-69356
HIGH
CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. [CVSS 7.5 HIGH]
PHP
Lfi
-
CVE-2025-69342
HIGH
CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Calafate calafate allows PHP Local File Inclusion.This issue affects Calafate: from n/a through <= 1.7.7. [CVSS 7.5 HIGH]
PHP
Lfi
-
CVE-2025-69228
HIGH
CVSS 7.5
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. [CVSS 7.5 HIGH]
Python
Aiohttp
Redhat
Suse
-
CVE-2025-69227
HIGH
CVSS 7.5
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. [CVSS 7.5 HIGH]
Python
Denial Of Service
Aiohttp
Redhat
Suse
-
CVE-2025-69086
HIGH
CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jwsthemes Issabella allows PHP Local File Inclusion.This issue affects Issabella: from n/a through 1.1.2. [CVSS 8.1 HIGH]
PHP
Lfi
-
CVE-2025-69085
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins JobBank allows Reflected XSS.This issue affects JobBank: from n/a through 1.2.2. [CVSS 7.1 HIGH]
XSS
-
CVE-2025-69084
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3 themes Photo Gallery allows Reflected XSS.This issue affects Photo Gallery: from n/a through 2.7.7.26. [CVSS 7.1 HIGH]
XSS
-
CVE-2025-69083
HIGH
CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Frappé allows PHP Local File Inclusion.This issue affects Frappé: from n/a through 1.8. [CVSS 8.1 HIGH]
PHP
Lfi
-
CVE-2025-59379
HIGH
CVSS 7.5
DwyerOmega Isensix Advanced Remote Monitoring System (ARMS) 1.5.7 allows an attacker to retrieve sensitive information from the underlying SQL database via Blind SQL Injection through the user parameter in the login page. [CVSS 7.5 HIGH]
SQLi
Isensix Advanced Remote Monitoring System Firmware
-
CVE-2025-47553
HIGH
CVSS 8.8
Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.25. [CVSS 8.8 HIGH]
Zoom
Deserialization
-
CVE-2025-36589
HIGH
CVSS 7.6
Unisphere For Powermax versions up to 9.2.4.18 is affected by improper restriction of xml external entity reference (CVSS 7.6).
XXE
Unisphere For Powermax Virtual Appliance
Unisphere For Powermax
-
CVE-2025-32304
HIGH
CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mojoomla WPCHURCH allows PHP Local File Inclusion.This issue affects WPCHURCH: from n/a through 2.7.0. [CVSS 8.1 HIGH]
Joomla
PHP
Lfi
-
CVE-2025-30631
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. [CVSS 7.1 HIGH]
WordPress
XSS
PHP
-
CVE-2025-29004
HIGH
CVSS 8.8
Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through 3.0.2; Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through 3.0. [CVSS 8.8 HIGH]
WordPress
Privilege Escalation
PHP
-
CVE-2025-20801
HIGH
CVSS 7.0
In seninf, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.0 HIGH]
Privilege Escalation
Race Condition
Buffer Overflow
-
CVE-2025-20800
HIGH
CVSS 7.8
In mminfra, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
Privilege Escalation
Android
Google
-
CVE-2025-20799
HIGH
CVSS 7.8
In c2ps, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
Use After Free
Memory Corruption
Privilege Escalation
Android
Google
-
CVE-2025-20798
HIGH
CVSS 7.8
In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
Privilege Escalation
Android
Google
-
CVE-2025-20797
HIGH
CVSS 7.8
In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
Privilege Escalation
Android
Google
-
CVE-2025-20796
HIGH
CVSS 7.8
Android versions up to 15.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 7.8).
Privilege Escalation
Android
Google
-
CVE-2025-20795
HIGH
CVSS 7.8
In KeyInstall, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
Privilege Escalation
Android
Google
-
CVE-2025-20781
HIGH
CVSS 7.8
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
Use After Free
Memory Corruption
Privilege Escalation
Denial Of Service
Buffer Overflow
-
CVE-2025-20780
HIGH
CVSS 7.8
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
Use After Free
Memory Corruption
Privilege Escalation
Android
Google
-
CVE-2025-20779
HIGH
CVSS 7.0
In display, there is a possible use after free due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.0 HIGH]
Use After Free
Privilege Escalation
Race Condition
Android
Google
-
CVE-2025-20778
HIGH
CVSS 7.8
In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]
Privilege Escalation
Android
Google
-
CVE-2025-15382
HIGH
CVSS 8.1
A heap buffer over-read vulnerability exists in the wolfSSH_CleanPath() function in wolfSSH. An authenticated remote attacker can trigger the issue via crafted SCP path input containing '/./' sequences, resulting in a heap over read by 1 byte. [CVSS 8.1 HIGH]
Buffer Overflow
Wolfssh
-
CVE-2025-15364
HIGH
CVSS 7.3
Download Manager (WordPress plugin) versions up to 3.3.40. contains a security vulnerability (CVSS 7.3).
WordPress
Privilege Escalation
PHP
-
CVE-2025-14997
HIGH
CVSS 8.8
The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. [CVSS 7.2 HIGH]
WordPress
PHP
RCE
Path Traversal
-
CVE-2025-14979
HIGH
CVSS 8.5
AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6.
Privilege Escalation
Apple
-
CVE-2025-14026
HIGH
CVSS 7.8
Forcepoint One DLP Client, version 23.04.5642 (and possibly newer versions), includes a restricted version of Python 2.5.4 that prevents use of the ctypes library. [CVSS 7.8 HIGH]
Python
One Data Loss Prevention
-
CVE-2025-12793
HIGH
CVSS 7.8
An uncontrolled DLL loading path vulnerability exists in AsusSoftwareManagerAgent. A local attacker may influence the application to load a DLL from an attacker-controlled location, potentially resulting in arbitrary code execution. [CVSS 7.8 HIGH]
Privilege Escalation
RCE
Myasus
-
CVE-2024-30547
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Shazdeh Header Image Slider header-image-slider allows DOM-Based XSS.This issue affects Header Image Slider: from n/a through 0.3. [CVSS 7.1 HIGH]
XSS
-
CVE-2020-36922
HIGH
CVSS 7.5
Bravia Signage contains a vulnerability that allows attackers to access sensitive system details through API endpoints (CVSS 7.5).
Information Disclosure
Bravia Signage
-
CVE-2020-36921
HIGH
CVSS 7.5
RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without authentication. [CVSS 7.5 HIGH]
Information Disclosure
-
CVE-2020-36920
HIGH
CVSS 8.8
iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. [CVSS 8.8 HIGH]
Authentication Bypass
-
CVE-2020-36917
HIGH
CVSS 7.5
iDS6 DSSPro Digital Signage System 6.2 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept authentication credentials through cleartext cookie transmission. [CVSS 7.5 HIGH]
Information Disclosure
-
CVE-2020-36916
HIGH
CVSS 8.8
TDM Digital Signage PC Player 4.1.0.4 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files. [CVSS 8.8 HIGH]
Privilege Escalation
-
CVE-2020-36915
HIGH
CVSS 7.5
Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. [CVSS 7.5 HIGH]
Ssh
-
CVE-2020-36914
HIGH
CVSS 7.5
QiHang Media Web Digital Signage 3.0.9 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept user authentication credentials through cleartext cookie transmission. [CVSS 7.5 HIGH]
Information Disclosure
-
CVE-2020-36910
HIGH
CVSS 8.8
Cayin Signage Media Player 3.0 contains an authenticated remote command injection vulnerability in system.cgi and wizard_system.cgi pages. Attackers can exploit the 'NTP_Server_IP' parameter with default credentials to execute arbitrary shell commands as root. [CVSS 8.8 HIGH]
Command Injection
-
CVE-2020-36907
HIGH
CVSS 7.5
Aerohive HiveOS contains a denial of service vulnerability in the NetConfig UI that allows unauthenticated attackers to render the web interface unusable. Attackers can send a crafted HTTP request to the action.php5 script with specific parameters to trigger a 5-minute service disruption. [CVSS 7.5 HIGH]
PHP
Denial Of Service
-
CVE-2020-36905
HIGH
CVSS 7.5
undocumented proxy API is affected by inclusion of functionality from untrusted control sphere (CVSS 7.5).
Path Traversal
RCE
-
CVE-2026-21494
MEDIUM
CVSS 6.1
Processing malicious ICC color profiles in iccDEV library versions before 2.3.1.2 triggers a heap buffer overflow in the tag validation function, allowing local attackers to cause denial of service or potentially execute code with user privileges. The vulnerability requires user interaction to process a crafted color profile file and affects any application using the vulnerable iccDEV library for ICC profile handling. A patch is available in version 2.3.1.2 with no known workarounds.
Buffer Overflow
Iccdev
-
CVE-2026-21493
MEDIUM
CVSS 6.6
Local attackers can exploit a type confusion vulnerability in iccDEV 2.3.1.1 and earlier during XML curve serialization to cause denial of service or achieve information disclosure. The flaw exists in the CIccSingleSampledeCurveXml class and affects systems using vulnerable versions of the ICC color management library. Public exploit code exists for this vulnerability, though a patch is available in version 2.3.1.2.
Information Disclosure
Iccdev
-
CVE-2026-21492
MEDIUM
CVSS 5.5
Local denial of service in iccDEV versions prior to 2.3.1.2 allows an unauthenticated user with local access to crash applications processing ICC color profiles through a null pointer dereference. Public exploit code exists for this vulnerability. Users should upgrade to version 2.3.1.2 or later, as no workarounds are available.
Null Pointer Dereference
Iccdev
-
CVE-2026-21491
MEDIUM
CVSS 6.1
A buffer overflow in iccDEV versions before 2.3.1.2 affects users processing ICC color profiles through the library's CIccTagTextDescription component, allowing local attackers with user interaction to cause denial of service or potentially read sensitive memory. Public exploit code exists for this vulnerability. The issue has been patched in version 2.3.1.2.
Buffer Overflow
Iccdev
-
CVE-2026-21490
MEDIUM
CVSS 6.1
Heap buffer overflow in iccDEV versions before 2.3.1.2 allows local attackers with user interaction to cause denial of service or disclose sensitive information when processing malicious ICC color profiles through the CIccTagLut16::Validate() function. Public exploit code exists for this vulnerability. A patch is available in version 2.3.1.2 with no known workarounds.
Buffer Overflow
Iccdev
-
CVE-2026-21489
MEDIUM
CVSS 6.1
Out-of-bounds memory reads in iccDEV versions 2.3.1.1 and earlier allow local attackers to cause denial of service or leak sensitive information through integer underflow flaws in the CIccCalculatorFunc::SequenceNeedTempReset function. The vulnerability requires user interaction and affects systems processing ICC color profiles. A patch is available in version 2.3.1.2.
Integer Overflow
Iccdev
-
CVE-2026-21488
MEDIUM
CVSS 6.1
Heap-based buffer overflow in iccDEV 2.3.1.1 and earlier allows local attackers with user interaction to cause denial of service or information disclosure through malformed ICC color profile files processed by the CIccTagText::Read function. The vulnerability stems from improper bounds checking and null termination handling when parsing profile data. A patch is available in version 2.3.1.2.
Buffer Overflow
Heap Overflow
Iccdev
-
CVE-2026-21487
MEDIUM
CVSS 6.1
iccDEV versions 2.3.1.1 and below allow local attackers to cause a denial of service or leak sensitive memory through improper input validation in the CIccProfile::LoadTag function, which fails to properly validate ICC profile data before processing. Public exploit code exists for this vulnerability, and a patch is available in version 2.3.1.2.
Buffer Overflow
Code Injection
Iccdev
-
CVE-2026-21439
MEDIUM
CVSS 5.3
badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. [CVSS 5.3 MEDIUM]
Ssh
Badkeys
-
CVE-2026-0641
MEDIUM
CVSS 6.3
Command injection in TOTOLINK WA300 firmware (version 5.2cu.7112_B20190227 and earlier) allows authenticated remote attackers to execute arbitrary commands through a malformed UPLOAD_FILENAME parameter in the cstecgi.cgi function. Public exploit code exists for this vulnerability, and no patch is currently available.
Command Injection
Wa300 Firmware
-
CVE-2026-0604
MEDIUM
CVSS 6.5
Path traversal in the FastDup WordPress plugin through version 2.7 allows authenticated contributors and above to enumerate and read arbitrary directories on affected servers via a malicious 'dir_path' parameter in the REST API. This vulnerability enables attackers with low-level WordPress access to access sensitive files and configuration data without requiring elevated privileges or user interaction.
WordPress
Path Traversal
-
CVE-2025-69364
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21. [CVSS 5.3 MEDIUM]
Authentication Bypass
-
CVE-2025-69363
MEDIUM
CVSS 6.5
CyberChimps Responsive Addons for Elementor responsive-addons-for-elementor is affected by missing authorization (CVSS 6.5).
Authentication Bypass
-
CVE-2025-69362
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH UiChemy uichemy allows Stored XSS.This issue affects UiChemy: from n/a through <= 4.4.2. [CVSS 6.5 MEDIUM]
XSS
-
CVE-2025-69361
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in PublishPress Post Expirator post-expirator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Expirator: from n/a through <= 4.9.3. [CVSS 4.3 MEDIUM]
Authentication Bypass
-
CVE-2025-69360
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements allows DOM-Based XSS.This issue affects TheGem Theme Elements (for WPBakery): from n/a through <= 5.11.0. [CVSS 6.5 MEDIUM]
XSS
-
CVE-2025-69359
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12. [CVSS 5.3 MEDIUM]
Authentication Bypass
-
CVE-2025-69357
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows Stored XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. [CVSS 6.5 MEDIUM]
XSS
-
CVE-2025-69355
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.4. [CVSS 4.3 MEDIUM]
Authentication Bypass
-
CVE-2025-69354
MEDIUM
CVSS 5.4
BBR Plugins Better Business Reviews better-business-reviews is affected by missing authorization (CVSS 5.4).
Authentication Bypass
-
CVE-2025-69353
MEDIUM
CVSS 5.4
Missing Authorization vulnerability in Proxy & VPN Blocker Proxy & VPN Blocker proxy-vpn-blocker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Proxy & VPN Blocker: from n/a through <= 3.5.3. [CVSS 5.4 MEDIUM]
Authentication Bypass
-
CVE-2025-69352
MEDIUM
CVSS 5.4
Missing Authorization vulnerability in StellarWP The Events Calendar the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through <= 6.15.12.2. [CVSS 5.4 MEDIUM]
Authentication Bypass
-
CVE-2025-69351
MEDIUM
CVSS 6.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4. [CVSS 6.5 MEDIUM]
SQLi
-
CVE-2025-69350
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Accordion accordions-wp allows Stored XSS.This issue affects Accordion: from n/a through <= 3.0.3. [CVSS 6.5 MEDIUM]
XSS
-
CVE-2025-69349
MEDIUM
CVSS 5.4
Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RSS Feed Widget: from n/a through <= 3.0.2. [CVSS 5.4 MEDIUM]
Authentication Bypass
-
CVE-2025-69348
MEDIUM
CVSS 5.4
CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar is affected by missing authorization (CVSS 5.4).
Authentication Bypass
-
CVE-2025-69346
MEDIUM
CVSS 5.4
Missing Authorization vulnerability in WPCenter AffiliateX affiliatex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AffiliateX: from n/a through <= 1.3.9.3. [CVSS 5.4 MEDIUM]
Authentication Bypass
-
CVE-2025-69345
MEDIUM
CVSS 5.4
BoldGrid Post and Page Builder by BoldGrid post-and-page-builder is affected by missing authorization (CVSS 5.4).
Authentication Bypass
-
CVE-2025-69341
MEDIUM
CVSS 5.4
BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon is affected by missing authorization (CVSS 5.4).
Authentication Bypass
-
CVE-2025-69336
MEDIUM
CVSS 4.3
bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit is affected by missing authorization (CVSS 4.3).
Authentication Bypass
-
CVE-2025-69335
MEDIUM
CVSS 5.4
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Team Showcase team-showcase allows Stored XSS.This issue affects Team Showcase: from n/a through <= 2.9. [CVSS 5.4 MEDIUM]
XSS
-
CVE-2025-69334
MEDIUM
CVSS 6.5
WPFactory Wishlist for WooCommerce wish-list-for-woocommerce is affected by cross-site scripting (xss) (CVSS 6.5).
WordPress
XSS
PHP
-
CVE-2025-69331
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19. [CVSS 4.3 MEDIUM]
WordPress
PHP
-
CVE-2025-69327
MEDIUM
CVSS 4.3
magepeopleteam Car Rental Manager car-rental-manager is affected by missing authorization (CVSS 4.3).
Authentication Bypass
-
CVE-2025-69230
MEDIUM
CVSS 5.3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. [CVSS 5.3 MEDIUM]
Python
Aiohttp
Redhat
Suse
-
CVE-2025-69229
MEDIUM
CVSS 5.3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. [CVSS 5.3 MEDIUM]
Python
Denial Of Service
Aiohttp
Redhat
Suse
-
CVE-2025-69225
MEDIUM
CVSS 5.3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. [CVSS 5.3 MEDIUM]
Python
Aiohttp
Redhat
Suse
-
CVE-2025-69197
MEDIUM
CVSS 6.5
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. [CVSS 6.5 MEDIUM]
Authentication Bypass
Panel
-
CVE-2025-68954
MEDIUM
CVSS 5.4
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. [CVSS 5.4 MEDIUM]
Information Disclosure
Wings
Panel
Suse
-
CVE-2025-63083
MEDIUM
CVSS 6.1
Lack of output escaping leads to a XSS vector in the pagebreak plugin. [CVSS 6.1 MEDIUM]
XSS
-
CVE-2025-63082
MEDIUM
CVSS 6.1
Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags. [CVSS 6.1 MEDIUM]
XSS
-
CVE-2025-46696
MEDIUM
CVSS 6.4
Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application, version(s) versions 5.26 to 5.30, contain(s) an Execution with Unnecessary Privileges vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. [CVSS 6.4 MEDIUM]
Privilege Escalation
Dell
Secure Connect Gateway
-
CVE-2025-20807
MEDIUM
CVSS 6.7
In dpe, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Integer Overflow
Privilege Escalation
Android
Google
-
CVE-2025-20806
MEDIUM
CVSS 6.7
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Use After Free
Memory Corruption
Privilege Escalation
Android
Google
-
CVE-2025-20805
MEDIUM
CVSS 6.7
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Use After Free
Memory Corruption
Privilege Escalation
Android
Google
-
CVE-2025-20804
MEDIUM
CVSS 6.7
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Use After Free
Memory Corruption
Privilege Escalation
Android
Google
-
CVE-2025-20803
MEDIUM
CVSS 6.7
In dpe, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Integer Overflow
Memory Corruption
Privilege Escalation
Android
Google
-
CVE-2025-20802
MEDIUM
CVSS 6.7
In geniezone, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Use After Free
Memory Corruption
Privilege Escalation
Android
Google
-
CVE-2025-20794
MEDIUM
CVSS 6.5
In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. [CVSS 6.5 MEDIUM]
Denial Of Service
Nr16
Nr15
Nr17r
Nr17
-
CVE-2025-20793
MEDIUM
CVSS 6.5
In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. [CVSS 6.5 MEDIUM]
Denial Of Service
Nr16
Nr17
Nr15
Nr17r
-
CVE-2025-20787
MEDIUM
CVSS 6.7
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Use After Free
Memory Corruption
Privilege Escalation
Android
Google
-
CVE-2025-20786
MEDIUM
CVSS 6.7
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Use After Free
Memory Corruption
Privilege Escalation
Denial Of Service
Buffer Overflow
-
CVE-2025-20785
MEDIUM
CVSS 6.7
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Use After Free
Memory Corruption
Privilege Escalation
Android
Google
-
CVE-2025-20784
MEDIUM
CVSS 6.7
Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.7).
Memory Corruption
Privilege Escalation
Android
Google
-
CVE-2025-20783
MEDIUM
CVSS 6.7
In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Privilege Escalation
Android
Google
-
CVE-2025-20782
MEDIUM
CVSS 6.7
In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Privilege Escalation
Android
Google
-
CVE-2025-20762
MEDIUM
CVSS 6.5
In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. [CVSS 6.5 MEDIUM]
Denial Of Service
Nr17
-
CVE-2025-20761
MEDIUM
CVSS 6.5
Nr15 versions up to - is affected by improper check for unusual or exceptional conditions (CVSS 6.5).
Denial Of Service
Nr15
Nr17
Nr16
-
CVE-2025-20760
MEDIUM
CVSS 6.5
In Modem, there is a possible read of uninitialized heap data due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. [CVSS 6.5 MEDIUM]
Denial Of Service
Nr16
Nr17
Nr15
-
CVE-2025-14552
MEDIUM
CVSS 6.4
The MediaPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mpp-uploader shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
WordPress
XSS
PHP
-
CVE-2025-14441
MEDIUM
CVSS 4.3
The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. [CVSS 5.3 MEDIUM]
WordPress
Authentication Bypass
-
CVE-2025-14438
MEDIUM
CVSS 6.4
The Xagio SEO - AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function. [CVSS 6.4 MEDIUM]
WordPress
SSRF
AI / ML
PHP
-
CVE-2025-14371
MEDIUM
CVSS 4.3
The Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. [CVSS 4.3 MEDIUM]
WordPress
Authentication Bypass
-
CVE-2025-14153
MEDIUM
CVSS 6.5
Page Expire Popup/Redirection for WordPress (WordPress plugin) is affected by sql injection (CVSS 6.5).
WordPress
SQLi
PHP
-
CVE-2025-14120
MEDIUM
CVSS 6.4
The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. [CVSS 6.4 MEDIUM]
WordPress
XSS
PHP
-
CVE-2025-14034
MEDIUM
CVSS 5.3
ilGhera Support System for WooCommerce (WordPress plugin) is affected by missing authorization (CVSS 5.3).
WordPress
PHP
-
CVE-2025-13964
MEDIUM
CVSS 5.3
The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. [CVSS 5.3 MEDIUM]
WordPress
PHP
-
CVE-2025-13812
MEDIUM
CVSS 4.3
The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. [CVSS 4.3 MEDIUM]
WordPress
PHP
-
CVE-2025-13766
MEDIUM
CVSS 5.4
for Online Courses and Education versions up to 3.7.6. is affected by missing authorization (CVSS 5.4).
WordPress
PHP
-
CVE-2025-13746
MEDIUM
CVSS 6.4
The ForumWP - Forum & Discussion Board plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User's Display Name in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
WordPress
XSS
PHP
-
CVE-2025-13744
MEDIUM
CVSS 5.4
An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. [CVSS 5.4 MEDIUM]
Github
Enterprise Server
-
CVE-2025-13652
MEDIUM
CVSS 6.5
The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]
WordPress
SQLi
PHP
-
CVE-2025-13409
MEDIUM
CVSS 4.9
The Form Vibes - Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]
WordPress
SQLi
PHP
-
CVE-2025-13215
MEDIUM
CVSS 5.3
Shortcodes and extra features for Phlox theme (WordPress plugin) versions up to 2.17.13 is affected by information exposure (CVSS 5.3).
WordPress
Information Disclosure
PHP
-
CVE-2025-12067
MEDIUM
CVSS 6.4
Table Field Add-on for ACF and SCF (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
WordPress
XSS
PHP
-
CVE-2025-11723
MEDIUM
CVSS 6.5
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifi...
WordPress
PHP
Information Disclosure
-
CVE-2025-11370
MEDIUM
CVSS 5.3
The Popup and Slider Builder by Depicter - Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. [CVSS 5.3 MEDIUM]
WordPress
PHP
-
CVE-2025-9637
MEDIUM
CVSS 6.5
The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. [CVSS 6.5 MEDIUM]
WordPress
Quiz And Survey Master
PHP
-
CVE-2025-9318
MEDIUM
CVSS 6.5
The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the ‘is_linking’ parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]
WordPress
SQLi
Quiz And Survey Master
PHP
-
CVE-2025-9294
MEDIUM
CVSS 4.3
The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. [CVSS 4.3 MEDIUM]
WordPress
Authentication Bypass
-
CVE-2025-7048
MEDIUM
CVSS 4.3
On affected platforms running Arista EOS with MACsec configuration, a specially crafted packet can cause the MACsec process to terminate unexpectedly. Continuous receipt of these packets with certain MACsec configurations can cause longer term disruption of dataplane traffic. [CVSS 4.3 MEDIUM]
Information Disclosure
-
CVE-2025-5919
MEDIUM
CVSS 6.5
The Appointment Booking and Scheduling Calendar Plugin - WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. [CVSS 6.5 MEDIUM]
WordPress
Industrial
PHP
-
CVE-2025-4776
MEDIUM
CVSS 6.4
The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
WordPress
XSS
PHP
-
CVE-2024-31088
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPShop.Ru AdsPlace'r - Ad Manager, Inserter, AdSense Ads allows DOM-Based XSS.This issue affects AdsPlace'r - Ad Manager, Inserter, AdSense Ads: from n/a through 1.1.5. [CVSS 6.5 MEDIUM]
XSS
-
CVE-2020-36924
MEDIUM
CVSS 6.1
Sony BRAVIA Digital Signage 1.7.8 contains a remote file inclusion vulnerability that allows attackers to inject arbitrary client-side scripts through the content material URL parameter. [CVSS 6.1 MEDIUM]
XSS
Bravia Signage
-
CVE-2020-36918
MEDIUM
CVSS 4.3
iDS6 DSSPro Digital Signage System 6.2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. [CVSS 4.3 MEDIUM]
CSRF
-
CVE-2020-36913
MEDIUM
CVSS 5.3
All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. [CVSS 5.3 MEDIUM]
PHP
Industrial
CSRF
Authentication Bypass
-
CVE-2020-36909
MEDIUM
CVSS 6.5
SnapGear Management Console SG560 3.1.5 contains a file manipulation vulnerability that allows authenticated users to read, write, and delete files using the edit_config_files CGI script. [CVSS 6.5 MEDIUM]
Path Traversal
Snapgear Sg560 Firmware
-
CVE-2020-36908
MEDIUM
CVSS 5.3
Snapgear Sg560 Firmware versions up to 3.1.5 is affected by cross-site request forgery (csrf) (CVSS 5.3).
CSRF
Snapgear Sg560 Firmware
-
CVE-2020-36906
MEDIUM
CVSS 4.3
P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. [CVSS 4.3 MEDIUM]
CSRF
-
CVE-2026-21674
LOW
CVSS 3.3
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a memory leak vulnerability in its XML MPE Parsing Path (iccFromXml). [CVSS 3.3 LOW]
Denial Of Service