Latest CVE Feed
-
6.5
MEDIUMCVE-2025-15009
A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unre... Read more
Affected Products : chestnutcms- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-63095
Improper input validation in the BitstreamWriter::write_bits() function of Tempus Ex hello-video-codec v0.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.... Read more
Affected Products : hello-video-codec- Published: Dec. 01, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-14747
A vulnerability was found in Ningyuanda TC155 57.0.2.0. The impacted element is an unknown function of the component RTSP Service. Performing manipulation results in denial of service. The attack must originate from the local network. The exploit has been... Read more
- Published: Dec. 16, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2024-2105
An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices.... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-14746
A vulnerability has been found in Ningyuanda TC155 57.0.2.0. The affected element is an unknown function of the component RTSP Live Video Stream Endpoint. Such manipulation leads to improper authentication. The attack must be carried out from within the l... Read more
- Published: Dec. 16, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2025-67720
Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the download_media method before using them in file path construction. When downloading media, if t... Read more
Affected Products :- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-15152
A vulnerability was identified in h-moses moga-mall up to 392d631a5ef15962a9bddeeb9f1269b9085473fa. This vulnerability affects the function addProduct of the file src/main/java/com/ms/product/controller/PmsProductController.java. Such manipulation of the ... Read more
Affected Products :- Published: Dec. 28, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-14157
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with... Read more
Affected Products : gitlab- Published: Dec. 11, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-64375
Missing Authorization vulnerability in Mahmudul Hasan Arif WP Social Ninja wp-social-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Social Ninja: from n/a through <= 3.20.1.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-67549
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik oik allows DOM-Based XSS.This issue affects oik: from n/a through <= 4.15.3.... Read more
Affected Products : oik- Published: Dec. 09, 2025
- Modified: Dec. 11, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-15246
A vulnerability was determined in aizuda snail-job up to 1.7.0 on macOS. Affected by this vulnerability is the function FurySerializer.deserialize of the component API. This manipulation of the argument argsStr causes deserialization. Remote exploitation ... Read more
Affected Products : snail-job- Published: Dec. 30, 2025
- Modified: Dec. 30, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-8305
An authenticated local user can obtain information that allows claiming security policy rules of another user due to sensitive information being printed in plaintext in Identity Agent for Terminal Services debug files.... Read more
Affected Products :- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-60070
Improper Control of Generation of Code ('Code Injection') vulnerability in The4 Molla molla allows Code Injection.This issue affects Molla: from n/a through <= 1.5.13.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-36917
In SwDcpItg of up_L2commonPdcpSecurity.cpp, there is a possible denial of service due to an incorrect bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation... Read more
Affected Products : android- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-36912
In cellular modem, there is a possible denial of service due to a logic error in the code. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.... Read more
Affected Products : android- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-14446
The Popup Builder (Easy Notify Lite) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the easynotify_cp_reset() function in all versions up to, and including, 1.1.37. This makes it possible for a... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-68267
In JetBrains TeamCity before 2025.11.1 excessive privileges were possible due to storing GitHub personal access token instead of an installation token... Read more
Affected Products : teamcity- Published: Dec. 16, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2025-14516
A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. T... Read more
Affected Products :- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Server-Side Request Forgery
-
6.5
MEDIUMCVE-2025-66581
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multipl... Read more
Affected Products : learning- Published: Dec. 05, 2025
- Modified: Dec. 11, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-10163
The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘starting_with’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplied parameter and ... Read more
Affected Products : list_category_posts- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Injection