Latest CVE Feed
-
6.5
MEDIUMCVE-2025-58477
Out-of-bounds write in parsing IFD tag in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory.... Read more
Affected Products : android- Published: Dec. 02, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-13359
The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on th... Read more
Affected Products : taxopress- Published: Dec. 03, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-67436
Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php).... Read more
Affected Products :- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-66202
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the ori... Read more
Affected Products : astro- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2025-65379
PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the /admin/password-recovery.php endpoint. Specifically, the username and mobileno parameters accepts unvalidated user input, which is then concatenated directly into a backend SQL query.... Read more
Affected Products : billing_system- Published: Dec. 02, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-14227
A security flaw has been discovered in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. This issue affects some unknown processing of the file /edit.php. The manipulation results in sql injection. The attack may be performed from... Read more
Affected Products :- Published: Dec. 08, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-61727
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *... Read more
Affected Products : go- Published: Dec. 03, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-13809
A vulnerability has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this issue is some unknown functionality of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineInfoControlle... Read more
Affected Products : orion-ops- Published: Dec. 01, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Server-Side Request Forgery
-
6.5
MEDIUMCVE-2025-13606
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This mak... Read more
Affected Products : export_all_posts\,_products\,_orders\,_refunds_\&_users- Published: Dec. 02, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Cross-Site Request Forgery
-
6.5
MEDIUMCVE-2025-36017
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 stores unencrypted sensitive information in environmental variables files which can be obtained by an authenticated user.... Read more
Affected Products : controller- Published: Dec. 08, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-66737
Yealink T21P_E2 Phone 52.84.0.15 is vulnerable to Directory Traversal. A remote normal privileged attacker can read arbitrary files via a crafted request result read function of the diagnostic component.... Read more
Affected Products :- Published: Dec. 26, 2025
- Modified: Dec. 27, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-66306
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct ... Read more
- Published: Dec. 01, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-14204
A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument au... Read more
Affected Products :- Published: Dec. 07, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-13789
A vulnerability was found in ZenTao up to 21.7.6-8564. This affects the function makeRequest of the file module/ai/model.php. The manipulation of the argument Base results in server-side request forgery. The attack can be launched remotely. The exploit ha... Read more
Affected Products : zentao- Published: Nov. 30, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Server-Side Request Forgery
-
6.5
MEDIUMCVE-2025-62094
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Voidthemes Void Elementor WHMCS Elements For Elementor Page Builder.This issue affects Void Elementor WHMCS Elements For Elementor Page Builder: from n/a... Read more
Affected Products :- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-15106
A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The a... Read more
Affected Products :- Published: Dec. 27, 2025
- Modified: Dec. 27, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-65405
A use-after-free in the ADTSAudioFileSource::samplingFrequency() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS/AAC file.... Read more
Affected Products : streaming_media- Published: Dec. 01, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-65408
A NULL pointer dereference in the ADTSAudioFileServerMediaSubsession::createNewRTPSink() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS file.... Read more
Affected Products : streaming_media- Published: Dec. 01, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-15081
A vulnerability has been found in JD Cloud BE6500 4.4.1.r4308. This issue affects the function sub_4780 of the file /jdcapi. Such manipulation of the argument ddns_name leads to command injection. The attack may be performed from remote. The exploit has b... Read more
Affected Products :- Published: Dec. 25, 2025
- Modified: Dec. 25, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-13949
A vulnerability was identified in ProudMuBai GoFilm 1.0.0/1.0.1. Impacted is the function SingleUpload of the file /server/controller/FileController.go. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remote... Read more
Affected Products :- Published: Dec. 03, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Misconfiguration