Latest CVE Feed
-
6.5
MEDIUMCVE-2025-62096
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Maximum Products per User for WooCommerce allows Stored XSS.This issue affects Maximum Products per User for WooCommerce: from n/a through 4.4.... Read more
Affected Products :- Published: Dec. 31, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-65075
WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete files, with the permissions of dvr user, on the server using p... Read more
Affected Products : video_management_software_server- Published: Dec. 16, 2025
- Modified: Dec. 22, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-68431
libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (l... Read more
Affected Products : libheif- Published: Dec. 29, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-9614
An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on re-keying and stream flushing during device rebinding may allow stale write transactions from a previous security context t... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-15187
A vulnerability was found in GreenCMS up to 2.3. This affects an unknown part of the file /DataController.class.php of the component File Handler. Performing manipulation of the argument sqlFiles/zipFiles results in path traversal. The attack can be initi... Read more
Affected Products : greencms- Published: Dec. 29, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-4097
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted ... Read more
Affected Products : gitlab- Published: Dec. 11, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-14512
A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute va... Read more
Affected Products : glib- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-62761
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BasePress Knowledge Base documentation & wiki plugin – BasePress allows Stored XSS.This issue affects Knowledge Base documentation & wiki plugin – BasePr... Read more
Affected Products :- Published: Dec. 31, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-14508
The MediaCommander – Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.3.1. This is due t... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-14568
A security vulnerability has been detected in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This impacts an unknown function of the file model/User.php. The manipulation of the argument employee_id/id/admin leads to sql... Read more
Affected Products : stock-management-system- Published: Dec. 12, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-14522
A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The impacted element is an unknown function of the file /Public/Kindeditor/php/upload_json.php. Performing manipulation of the argument imgFile results in unrestri... Read more
Affected Products :- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-59949
FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vulnerability that can lead to denial of service via <track src>. Version 1.27.1 patches the issue.... Read more
Affected Products : freshrss- Published: Dec. 18, 2025
- Modified: Dec. 30, 2025
- Vuln Type: Cross-Site Request Forgery
-
6.5
MEDIUMCVE-2016-20023
In CKSource CKFinder before 2.5.0.1 for ASP.NET, authenticated users could download any file from the server if the correct path to a file was provided.... Read more
Affected Products : ckfinder- Published: Dec. 05, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-15357
A vulnerability was found in D-Link DI-7400G+ 19.12.25A1. This affects an unknown function of the file /msp_info.htm?flag=cmd. The manipulation of the argument cmd results in command injection. The attack can be launched remotely. The exploit has been mad... Read more
Affected Products : di-7400g\+_firmware- Published: Dec. 30, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-68384
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user set... Read more
Affected Products : elasticsearch- Published: Dec. 18, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-63039
Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through <= 2.9.9.... Read more
Affected Products : listingpro- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-68382
Out-of-bounds read (CWE-125) allows an unauthenticated remote attacker to perform a buffer overflow (CAPEC-100) via the NFS protocol dissector, leading to a denial-of-service (DoS) through a reliable process crash when handling truncated XDR-encoded RPC m... Read more
Affected Products : packetbeat- Published: Dec. 18, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-55893
TOTOLINK N200RE V9.3.5u.6437_B20230519 is vulnerable to command Injection in setOpModeCfg via hostName.... Read more
- Published: Dec. 15, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-55901
TOTOLINK A3300R V17.0.0cu.596_B20250515 is vulnerable to command injection in the function NTPSyncWithHost via the host_time parameter.... Read more
- Published: Dec. 15, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-68381
Improper Bounds Check (CWE-787) in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow (CAPEC-100) and reliably crash the application or cause significant resource exhaustion via a single crafted UDP packet with an invalid ... Read more
Affected Products : packetbeat- Published: Dec. 18, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Memory Corruption