Skip to main content
CVE-2025-11246 MEDIUM This Month

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations. [CVSS 5.4 MEDIUM]

Gitlab
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14720 MEDIUM This Month

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14886 MEDIUM This Month

The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14146 MEDIUM This Month

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible ...

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13717 MEDIUM This Month

The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-20973 MEDIUM This Month

libimagecodec.quram.so in Android devices prior to the January 2026 Security Maintenance Release 1 contains an out-of-bounds read vulnerability that allows remote attackers to access sensitive memory without authentication. The vulnerability has a network attack vector with low complexity, enabling potential information disclosure through specially crafted input. No patch is currently available.

Buffer Overflow Information Disclosure Android
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14574 MEDIUM This Month

The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. [CVSS 5.3 MEDIUM]

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-67279 MEDIUM This Month

An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via the application stores password hashes in MD5 format [CVSS 5.3 MEDIUM]

Privilege Escalation Tim Flow
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14782 MEDIUM This Month

The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0817 MEDIUM PATCH This Month

Insufficient access controls in the MediaWiki CampaignEvents extension (versions 1.39, 1.43, 1.44, 1.45) permit unauthenticated attackers to perform unauthorized actions by bypassing privilege checks. An attacker could exploit this vulnerability to gain elevated privileges within the extension without proper authorization. A patch is available to remediate this low-impact authorization flaw.

Mediawiki Campaignevents
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-20974 MEDIUM This Month

Android versions up to 13.0 contains a vulnerability that allows attackers to bypass Carrier Relock (CVSS 4.6).

Authentication Bypass Android
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-66315 MEDIUM This Month

Mf258K Pro Firmware versions up to zte_mf258kpro_play_v1.0.0b03 is affected by improper privilege management (CVSS 4.3).

Privilege Escalation Mf258k Pro Firmware
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-46286 MEDIUM This Month

A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. [CVSS 4.3 MEDIUM]

Apple iOS Ipados Iphone Os
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-46299 MEDIUM PATCH This Month

A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. [CVSS 4.3 MEDIUM]

Apple Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13749 MEDIUM This Month

The Clearfy Cache - WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13935 MEDIUM This Month

eLearning and online course solution versions up to 3.9.2. is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13934 MEDIUM This Month

eLearning and online course solution versions up to 3.9.3. is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13753 MEDIUM This Month

The WP Table Builder - Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. [CVSS 4.3 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13628 MEDIUM This Month

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13772 MEDIUM This Month

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests. [CVSS 7.1 HIGH]

Gitlab Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy