Latest CVE Feed
-
6.5
MEDIUMCVE-2025-67735
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This lead... Read more
Affected Products : netty- Published: Dec. 16, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-14331
Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-64650
IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.18 could disclose sensitive user credentials in log files.... Read more
Affected Products : storage_defender_resiliency_service- Published: Dec. 08, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-13231
The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_fil... Read more
Affected Products : fancy_product_designer- Published: Dec. 16, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Server-Side Request Forgery
-
6.5
MEDIUMCVE-2025-68078
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.This issue affects Salient Portfolio: from n/a through <= 1.8.2.... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-43511
A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.2. Processing maliciously crafted web content may... Read more
- Published: Dec. 12, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-66100
Missing Authorization vulnerability in Magnigenie RestroPress restropress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through <= 3.2.3.5.... Read more
Affected Products : restropress- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-10019
Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60... Read more
Affected Products : contact_form_email- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-54748
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RomanCode MapSVG mapsvg allows Path Traversal.This issue affects MapSVG: from n/a through < 8.6.12.... Read more
Affected Products : mapsvg- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-62465
Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
-
6.5
MEDIUMCVE-2025-36015
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due to improper validation of a specified quantity size input.... Read more
- Published: Dec. 08, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-66511
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details ... Read more
- Published: Dec. 05, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Cryptography
-
6.5
MEDIUMCVE-2025-64520
GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.... Read more
Affected Products : glpi- Published: Dec. 16, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-13880
The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getA... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-26381
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-67546
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs WP ERP erp allows Retrieve Embedded Sensitive Data.This issue affects WP ERP: from n/a through <= 1.16.6.... Read more
Affected Products : wp_erp- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-64355
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through 2.7.12.... Read more
Affected Products : jetelements_for_elementor- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-66104
Missing Authorization vulnerability in Anton Vanyukov Offload, AI & Optimize with Cloudflare Images cf-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Offload, AI & Optimize with Cloudflare Images:... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-26489
Improper input validation in the Netconf service in Infinera MTC-9 allows remote authenticated users to crash the service and reboot the appliance, thus causing a DoS condition, via crafted XML payloads.This issue affects MTC-9: from R22.1.1.0275 before... Read more
- Published: Dec. 08, 2025
- Modified: Dec. 22, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-54745
Missing Authorization vulnerability in miniOrange miniOrange's Google Authenticator miniorange-2-factor-authentication allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects miniOrange's Google Authenticator: from n/a t... Read more
Affected Products : google_authenticator- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization