Skip to main content
CVE-2025-14146 MEDIUM This Month

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible ...

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13717 MEDIUM This Month

The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-20973 MEDIUM This Month

libimagecodec.quram.so in Android devices prior to the January 2026 Security Maintenance Release 1 contains an out-of-bounds read vulnerability that allows remote attackers to access sensitive memory without authentication. The vulnerability has a network attack vector with low complexity, enabling potential information disclosure through specially crafted input. No patch is currently available.

Buffer Overflow Information Disclosure Android
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14574 MEDIUM This Month

The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. [CVSS 5.3 MEDIUM]

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-67279 MEDIUM This Month

An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via the application stores password hashes in MD5 format [CVSS 5.3 MEDIUM]

Privilege Escalation Tim Flow
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14782 MEDIUM This Month

The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0817 MEDIUM PATCH This Month

Insufficient access controls in the MediaWiki CampaignEvents extension (versions 1.39, 1.43, 1.44, 1.45) permit unauthenticated attackers to perform unauthorized actions by bypassing privilege checks. An attacker could exploit this vulnerability to gain elevated privileges within the extension without proper authorization. A patch is available to remediate this low-impact authorization flaw.

Mediawiki Campaignevents
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-20974 MEDIUM This Month

Android versions up to 13.0 contains a vulnerability that allows attackers to bypass Carrier Relock (CVSS 4.6).

Authentication Bypass Android
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-66315 MEDIUM This Month

Mf258K Pro Firmware versions up to zte_mf258kpro_play_v1.0.0b03 is affected by improper privilege management (CVSS 4.3).

Privilege Escalation Mf258k Pro Firmware
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-46286 MEDIUM This Month

A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. [CVSS 4.3 MEDIUM]

Apple iOS Ipados Iphone Os
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-46299 MEDIUM PATCH This Month

A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. [CVSS 4.3 MEDIUM]

Apple Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13749 MEDIUM This Month

The Clearfy Cache - WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13935 MEDIUM This Month

eLearning and online course solution versions up to 3.9.2. is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13934 MEDIUM This Month

eLearning and online course solution versions up to 3.9.3. is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13753 MEDIUM This Month

The WP Table Builder - Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. [CVSS 4.3 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13628 MEDIUM This Month

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13772 MEDIUM This Month

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests. [CVSS 7.1 HIGH]

Gitlab Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-3950 LOW Monitor

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection. [CVSS 3.5 LOW]

Gitlab
NVD
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-62487 LOW Monitor

On October 1, 2025, Palantir discovered that images uploaded through the Dossier front-end app were not being marked correctly with the proper security levels. The regression was traced back to a change in May 2025, which was meant to allow file uploads to be shared among different artifacts (e.g. [CVSS 3.5 LOW]

Authentication Bypass
NVD
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-20972 LOW Monitor

Improper Export of Android Application Components in UwbTest prior to SMR Jan-2026 Release 1 allows local attackers to enable UWB. [CVSS 3.3 LOW]

Android
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-46676 LOW Monitor

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain an Exposure of Sensitive Information to an Unauthorized Actor vulnerability. [CVSS 2.7 LOW]

Information Disclosure Data Domain Operating System
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-46643 LOW Monitor

Data Domain Operating System versions up to 8.4.0.0 is affected by heap-based buffer overflow (CVSS 2.3).

Buffer Overflow Heap Overflow Denial Of Service Data Domain Operating System
NVD
CVSS 3.1
2.3
EPSS
0.0%
CVE-2020-36875 This Week

AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget.

WordPress PHP RCE
NVD WPScan
EPSS
0.1%
CVE-2025-7072 This Week

The firmware in KAON CG3000TC and CG3000T routers contains hard-coded credentials in clear text (shared across all routers of this model) that an unauthenticated remote attacker could use to execute commands with root privileges.

Authentication Bypass
NVD
EPSS
0.1%
CVE-2026-22082 Monitor

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface.

Information Disclosure
NVD
EPSS
0.1%
CVE-2026-22714 This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39.

Mediawiki XSS
NVD
EPSS
0.0%
CVE-2026-22081 Monitor

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface.

Information Disclosure
NVD
EPSS
0.0%
CVE-2026-22080 Monitor

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface.

Authentication Bypass Information Disclosure
NVD
EPSS
0.0%
CVE-2026-22079 Monitor

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface.

Authentication Bypass Information Disclosure
NVD
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy