Skip to main content
CVE-2025-53598 MEDIUM This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]

Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1387 MEDIUM This Month

Gitlab versions up to 18.6.6 is affected by allocation of resources without limits or throttling (CVSS 6.5).

Gitlab Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13431 MEDIUM This Month

The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress Industrial SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2320 MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2318 MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1458 MEDIUM This Month

Gitlab versions up to 18.6.6 is affected by allocation of resources without limits or throttling (CVSS 6.5).

Gitlab Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1456 MEDIUM This Month

Gitlab versions up to 18.7.4 is affected by allocation of resources without limits or throttling (CVSS 6.5).

Gitlab Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1786 MEDIUM This Month

The Twitter posts to Blog plugin for WordPress versions up to 1.11.25 lacks proper access controls on the settings function, allowing unauthenticated attackers to modify plugin configuration including Twitter API credentials and post parameters. This capability check bypass could enable attackers to hijack the plugin's functionality or escalate privileges within WordPress installations. No patch is currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2316 MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-65127 MEDIUM This Month

A lack of session validation in the web API component of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote unauthenticated attackers to access administrative information-retrieval functions intended for authenticated users. [CVSS 6.5 MEDIUM]

Industrial
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62853 MEDIUM This Month

A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]

Path Traversal File Station
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-54170 MEDIUM This Month

An out-of-bounds read vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data. [CVSS 6.5 MEDIUM]

Buffer Overflow Information Disclosure Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-54152 MEDIUM This Month

A use of out-of-range pointer offset vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read sensitive portions of memory. [CVSS 6.5 MEDIUM]

Buffer Overflow Information Disclosure Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2317 MEDIUM PATCH This Month

Google Chrome versions before 145.0.7632.45 contain an animation implementation flaw that allows remote attackers to exfiltrate cross-origin data through specially crafted HTML pages. The vulnerability requires user interaction to trigger and affects all Chrome users, potentially exposing sensitive information from other websites. No patch is currently available.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1235 MEDIUM This Month

WP eCommerce WordPre versions up to 3.15.1 is affected by deserialization of untrusted data (CVSS 6.5).

WordPress PHP Deserialization
NVD WPScan
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-20680 MEDIUM This Month

Sandboxed applications on Apple platforms (macOS Tahoe, Sonoma, Sequoia, iOS, and iPadOS) can bypass app state observability restrictions to access sensitive user data. A local attacker with app execution privileges could exploit this information disclosure vulnerability to observe data from other applications. Patches are available in macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5, and iPadOS 18.7.5.

Apple Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-26012 MEDIUM This Month

Vaultwarden versions prior to 1.35.3 allow authenticated organization members to bypass collection-level access controls and retrieve all ciphers within their organization through the /ciphers/organization-details endpoint. An attacker with regular member privileges can access sensitive credentials and encrypted data they should not have permission to view. No patch is currently available for affected deployments.

Authentication Bypass Vaultwarden Red Hat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15400 MEDIUM This Month

The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass
NVD WPScan
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1231 MEDIUM This Month

Stored cross-site scripting in Beaver Builder Page Builder plugin for WordPress through version 2.10.0.5 allows authenticated users with Custom-level access or higher to inject malicious scripts into global settings that execute for all site visitors. The vulnerability stems from missing capability checks and insufficient input sanitization in the save_global_settings() function. Attackers can exploit this to deface pages, steal credentials, or perform actions on behalf of other users viewing affected content.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1827 MEDIUM This Month

The Flask Micro code-editor plugin for WordPress through version 1.0.0 contains a stored cross-site scripting vulnerability in its codeflask shortcode due to inadequate input validation and output encoding. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute for all visitors accessing affected pages. No patch is currently available.

WordPress Flask XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1809 MEDIUM This Month

Stored cross-site scripting in the HTML Tag Shortcodes WordPress plugin through version 1.1 allows authenticated contributors and above to execute arbitrary scripts on site pages through inadequately sanitized shortcode attributes. Affected users will run attacker-injected code whenever they visit compromised pages, potentially leading to session hijacking or malicious content injection.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1885 MEDIUM This Month

Stored XSS in WordPress Slideshow WP plugin through version 1.1 allows authenticated users with contributor-level access to inject malicious scripts via the 'sswpid' shortcode attribute due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling attackers to steal session data or perform unauthorized actions. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1853 MEDIUM This Month

Stored XSS in BuddyHolis ListSearch plugin for WordPress through version 1.1 allows authenticated contributors and above to inject malicious scripts into pages via inadequately sanitized shortcode attributes. When site visitors access compromised pages, the injected scripts execute in their browsers, potentially enabling account hijacking, session theft, or malicious redirects. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1826 MEDIUM This Month

Stored XSS in OpenPOS Lite for WooCommerce plugin (versions up to 3.0) allows authenticated contributors and above to inject malicious scripts via the order_qrcode shortcode's width parameter, which execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling attackers to compromise page content without user interaction. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1821 MEDIUM This Month

Stored cross-site scripting in the WordPress Microtango plugin through version 0.9.29 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'restkey' parameter that execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping in the mt_reservation shortcode. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1804 MEDIUM This Month

Stored XSS in the WDES Responsive Popup WordPress plugin through version 1.3.6 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'wdes-popup-title' shortcode due to inadequate input sanitization. When victims visit affected pages containing the injected payload, the scripts execute in their browsers, potentially compromising site integrity and user data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1893 MEDIUM This Month

Orbisius Random Name Generator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13650 MEDIUM This Month

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Surname’ parameter of the ‘Create Account’ operation at the URL:  https://zeus.microcom.es:4040/index.html?zeus6=true .

XSS Zeusweb
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13649 MEDIUM This Month

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Email’ parameters within the ‘Recover password’ section at the URL: https://zeus.microcom.es:4040/index.html?zeus6=true .

XSS Zeusweb
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13648 MEDIUM This Month

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Name’ and “Surname” parameters within the ‘My Account’ section at the URL: https://zeus.microcom.es:4040/administracion-estaciones.html  resulting in a stored XSS.

XSS Zeusweb
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1571 MEDIUM This Month

Reflected cross-site scripting in TP-Link Archer C60 v3 firmware permits arbitrary JavaScript execution through malicious URLs, enabling attackers to steal credentials or hijack sessions when targeted at privileged users. The vulnerability requires user interaction to trigger but has network-accessible attack vectors with no authentication needed. No patch is currently available.

TP-Link Archer C60 Firmware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-48508 MEDIUM This Month

Improper Hardware reset flow logic in the GPU GFX Hardware IP block could allow a privileged attacker in a guest virtual machine to control reset operation potentially causing host or GPU crash or reset resulting in denial of service. [CVSS 6.0 MEDIUM]

Denial Of Service
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-46310 MEDIUM This Month

This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. [CVSS 6.0 MEDIUM]

Apple Privilege Escalation
NVD VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-26014 MEDIUM PATCH This Month

Pion DTLS is a Go implementation of Datagram Transport Layer Security. [CVSS 5.9 MEDIUM]

Golang Dtls Red Hat Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-13391 MEDIUM This Month

The Product Options and Price Calculation Formulas for WooCommerce - Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. [CVSS 5.8 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
5.8
EPSS
0.1%
CVE-2025-46305 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-46304 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Denial Of Service
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-46303 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-46302 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-46301 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-46300 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. [CVSS 5.7 MEDIUM]

Apple Buffer Overflow
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-20627 MEDIUM This Month

Insufficient validation of environment variables in Apple's macOS, iOS, iPadOS, and visionOS allows local applications to read sensitive user data without user interaction. An attacker with the ability to run code on the affected device could exploit this to access confidential information through improperly sanitized environment variable handling. A patch is not currently available for this medium-severity vulnerability.

Apple Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-43537 MEDIUM This Month

A path handling issue was addressed with improved validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5. [CVSS 5.5 MEDIUM]

Apple Path Traversal
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20669 MEDIUM This Month

macOS path validation bypass allows local authenticated users to read sensitive user data through improper directory path parsing. The vulnerability requires local access and valid credentials, limiting the attack surface to users already on the affected system. No patch is currently available for this medium-severity issue affecting macOS Tahoe 26.3 and earlier versions.

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20653 MEDIUM This Month

Improper path validation in Apple's macOS, iOS, and visionOS allows local attackers to bypass directory access restrictions and read sensitive user data through crafted file paths. An authenticated user with local access can exploit this parsing weakness without user interaction to access confidential information. No patch is currently available for this vulnerability.

Apple Path Traversal
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20648 MEDIUM This Month

Malicious applications on macOS can intercept and read notifications synced from other iCloud-connected devices due to improper access controls on notification data. This local privilege escalation affects macOS versions prior to Tahoe 26.3 and requires user interaction to execute the malicious app. An attacker with local access could gain unauthorized visibility into private notifications and communications across a user's device ecosystem.

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20647 MEDIUM This Month

This issue was addressed with improved data protection. This issue is fixed in macOS Tahoe 26.3. [CVSS 5.5 MEDIUM]

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20638 MEDIUM This Month

A logic issue was addressed with improved checks. This issue is fixed in iOS 26.3 and iPadOS 26.3. [CVSS 5.5 MEDIUM]

Apple iOS Iphone Os Ipados
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20623 MEDIUM This Month

macOS applications can bypass permission restrictions to access sensitive user data due to a permissions validation flaw affecting macOS versions prior to Tahoe 26.3. An attacker would need local access and user interaction to exploit this vulnerability, resulting in unauthorized disclosure of protected information without affecting system integrity or availability. This issue has been patched in macOS Tahoe 26.3.

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20618 MEDIUM This Month

macOS Tahoe versions prior to 26.3 contain an improper temporary file handling vulnerability that allows local authenticated applications to read sensitive user data. The vulnerability requires local access and valid user privileges but poses no risk to system integrity or availability. No patch is currently available for affected systems.

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy