Peoplesoft Enterprise Peopletools versions up to 8.60 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of PeopleSoft Enterprise Pe (CVSS 6.1).
Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Java SE, Oracle G (CVSS 6.1).
Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to unauthorized access to critical data or complete access to all Oracle VM Virtual (CVSS 6.0).
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 6.0 MEDIUM]
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
Concert versions up to 2.1.0 contains a vulnerability that allows attackers to a remote attacker to obtain sensitive information from allocated memory due to i (CVSS 5.9).
Concert versions up to 2.1.0 contains a vulnerability that allows attackers to a remote attacker to obtain sensitive information from allocated memory due to i (CVSS 5.9).
Imagedirector Capture versions up to 7.6.3.25808. is affected by insufficiently protected credentials (CVSS 5.9).
Keycloak's OpenID Connect Dynamic Client Registration feature fails to validate jwks_uri values when clients authenticate via private_key_jwt, allowing attackers to redirect the server to arbitrary network endpoints. This enables reconnaissance and information disclosure attacks against internal services and cloud metadata endpoints accessible from the Keycloak server. No patch is currently available for this MEDIUM severity vulnerability.
Solaris versions up to 11 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 5.8).
Solaris versions up to 10 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 5.8).
An high privileged remote attacker can inject arbitrary content into the custom CSS field on the affected devices due to improper neutralization of input during web page generation ('Cross-site Scripting'). [CVSS 5.5 MEDIUM]
dr_flac, an audio decoder within the dr_libs toolset, contains an integer overflow vulnerability flaw due to trusting the totalPCMFrameCount field from FLAC metadata before calculating buffer size, allowing an attacker with a specially crafted file to perform DoS against programs using the tool. [CVSS 5.5 MEDIUM]
Business Automation Workflow versions up to 24.0.0 is affected by insertion of sensitive information into externally-accessible file (CVSS 5.5).
Imagedirector Capture versions up to 7.6.3.25808. is affected by use of hard-coded cryptographic key (CVSS 5.5).
The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. [CVSS 5.4 MEDIUM]
Tutor LMS plugin for WordPress through version 3.9.4 fails to validate user permissions on the delete_existing_user_photo function, allowing authenticated subscribers and higher-privileged users to delete arbitrary attachments. This integrity and availability vulnerability requires an active WordPress account but no elevated privileges, making it exploitable by low-level users to disrupt site content.
Image Photo Gallery Final Tiles Grid (WordPress plugin) versions up to 3.6.9. is affected by missing authorization (CVSS 5.4).
IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. [CVSS 5.4 MEDIUM]
Google Chrome's Downloads feature on Windows versions before 144.0.7559.59 fails to properly validate file types, enabling remote attackers to circumvent safety protections for dangerous files through crafted malicious uploads. An unauthenticated attacker can exploit this via a specially designed file to bypass download security warnings. No patch is currently available for this medium-severity vulnerability.
Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).
Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).
Chrome versions up to 144.0.7559.59 is affected by user interface (ui) misrepresentation of critical information (CVSS 5.4).
Chrome versions up to 144.0.7559.59 is affected by user interface (ui) misrepresentation of critical information (CVSS 5.4).
IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]
IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]
Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by cross-site scripting (xss) (CVSS 5.4).
Peoplesoft Supply Chain Management Purchasing versions up to 9.2 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of PeopleSoft Enterprise SC (CVSS 5.4).
Peoplesoft Enterprise Peopletools versions up to 8.60 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of PeopleSoft Enterprise Pe (CVSS 5.4).
Apex versions up to 23.2.0 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle APEX Sample Appli (CVSS 5.4).
Utilities Framework versions up to 4.3.0.3.0 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Utilities Applica (CVSS 5.4).
The PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. [CVSS 5.3 MEDIUM]
The Custom Fonts - Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. [CVSS 5.3 MEDIUM]
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. [CVSS 5.3 MEDIUM]
The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. [CVSS 5.3 MEDIUM]
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 5.3).
IBM ApplinX 11.1 could disclose sensitive information about server architecture that could aid in further attacks against the system. [CVSS 5.3 MEDIUM]
Unauthenticated attackers can read sensitive data from Oracle Life Sciences Central Designer 7.0.1.0 through an easily exploitable information disclosure vulnerability accessible via HTTP. The flaw requires no user interaction or privileges, allowing remote attackers with network access to gain unauthorized access to a subset of application data. No patch is currently available for this vulnerability.
Configurator contains a vulnerability that allows attackers to unauthorized read access to a subset of Oracle Configurator accessible data (CVSS 5.3).
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. [CVSS 5.3 MEDIUM]
A security vulnerability has been detected in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. [CVSS 3.1 LOW]
MineAdmin 1.x and 2.x contains insufficient JWT token verification in the /system/refresh endpoint, allowing authenticated remote attackers to tamper with token data and potentially escalate privileges or bypass security controls. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Exploitation requires authenticated access and specific conditions, resulting in a medium severity rating with limited immediate impact.
A vulnerability was detected in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. [CVSS 3.1 LOW]
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. [CVSS 5.3 MEDIUM]
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystems). Supported versions that are affected are 10 and 11. [CVSS 5.0 MEDIUM]
Mysql contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).