Latest CVE Feed
-
6.5
MEDIUMCVE-2025-64270
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in masteriyo Masteriyo - LMS learning-management-system allows Retrieve Embedded Sensitive Data.This issue affects Masteriyo - LMS: from n/a through <= 2.0.3.... Read more
Affected Products : masteriyo- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-66947
SQL injection vulnerability in krishanmuraiji SMS v.1.0, within the /studentms/admin/edit-class-detail.php via the editid GET parameter. An attacker can trigger controlled delays using SQL SLEEP() to infer database contents. Successful exploitation may le... Read more
Affected Products :- Published: Dec. 26, 2025
- Modified: Dec. 26, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-68080
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal User Avatar - Reloaded user-avatar-reloaded allows Stored XSS.This issue affects User Avatar - Reloaded: from n/a through <= 1.2.2.... Read more
Affected Products : user_avatar-reloaded- Published: Dec. 16, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-14780
A vulnerability was detected in Xiongwei Smart Catering Cloud Platform 2.1.6446.28761. The affected element is an unknown function of the file /dishtrade/dish_trade_detail_get. The manipulation of the argument filter results in sql injection. The attack c... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-9613
A vulnerability was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on tag reuse after completion timeouts may allow multiple outstanding Non-Posted Requests to share the same tag. This t... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-36015
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due to improper validation of a specified quantity size input.... Read more
- Published: Dec. 08, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-68382
Out-of-bounds read (CWE-125) allows an unauthenticated remote attacker to perform a buffer overflow (CAPEC-100) via the NFS protocol dissector, leading to a denial-of-service (DoS) through a reliable process crash when handling truncated XDR-encoded RPC m... Read more
Affected Products : packetbeat- Published: Dec. 18, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-59935
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.... Read more
Affected Products : glpi- Published: Dec. 16, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-13880
The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getA... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-65380
PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the admin/index.php endpoint. Specifically, the username parameter accepts unvalidated user input, which is then concatenated directly into a backend SQL query.... Read more
Affected Products : billing_system- Published: Dec. 02, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-26381
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-66454
Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticat... Read more
Affected Products :- Published: Dec. 02, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2025-12689
Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.... Read more
Affected Products : mattermost_server- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-55893
TOTOLINK N200RE V9.3.5u.6437_B20230519 is vulnerable to command Injection in setOpModeCfg via hostName.... Read more
- Published: Dec. 15, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-67976
Missing Authorization vulnerability in Bob Watu Quiz watu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Watu Quiz: from n/a through <= 3.4.5.... Read more
Affected Products : watu_quiz- Published: Dec. 16, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-65814
A lack of security checks in the file import process of RHOPHI Analytics LLP Office App-Edit Word v6.4.1 allows attackers to execute a directory traversal.... Read more
Affected Products : office_app-edit_word\,_pdf_file- Published: Dec. 10, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-14052
A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected by this vulnerability is the function getMemberById of the file /mall-ums/app-api/v1/members/. The manipulation of the argument memberId leads to improper access controls. The ... Read more
Affected Products : youlai-mall- Published: Dec. 05, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2024-2105
An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices.... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2016-20023
In CKSource CKFinder before 2.5.0.1 for ASP.NET, authenticated users could download any file from the server if the correct path to a file was provided.... Read more
Affected Products : ckfinder- Published: Dec. 05, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-68070
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vektor,Inc. VK Google Job Posting Manager vk-google-job-posting-manager allows Stored XSS.This issue affects VK Google Job Posting Manager: from n/a thro... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Cross-Site Scripting