Latest CVE Feed
-
6.1
MEDIUMCVE-2025-34407
MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the theme parameter of /Mondo/lang/sys/Forms/Statistics.aspx. The theme value is insufficiently sanitized when processed via a GET request and is reflected ... Read more
Affected Products : mailenable- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-34406
MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Id parameter of /Mobile/ContactDetails.aspx. The Id value is not properly sanitized when processed via a GET request and is reflected within a <script> ... Read more
Affected Products : mailenable- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-12581
The Attachments Handler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-42872
Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal, an unauthenticated attacker could inject malicious scripts that execute in the context of other users� browsers, allowing the attacker to steal session cookies, tokens, ... Read more
Affected Products : netweaver- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-13626
The myLCO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unau... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-13894
The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for u... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Cross-Site Scripting
-
6.0
MEDIUMCVE-2025-12986
When a WF200/WGM160P device is configured to operate as an Access Point, it may be vulnerable to a denial of service triggered by a malformed packet. The device may recover automatically or require a hard reset.... Read more
Affected Products : gecko_software_development_kit- Published: Dec. 04, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Denial of Service
-
6.0
MEDIUMCVE-2025-49643
An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service.... Read more
Affected Products : zabbix- Published: Dec. 01, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Denial of Service
-
6.0
MEDIUMCVE-2025-14763
Missing cryptographic key commitment in the Amazon S3 Encryption Client for Java may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file"... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cryptography
-
6.0
MEDIUMCVE-2025-14764
Missing cryptographic key commitment in the Amazon S3 Encryption Client for Go may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" i... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cryptography
-
6.0
MEDIUMCVE-2025-14777
A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against th... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Authorization
-
6.0
MEDIUMCVE-2025-14759
Missing cryptographic key commitment in the Amazon S3 Encryption Client for .NET may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file"... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cryptography
-
6.0
MEDIUMCVE-2024-40593
A key management errors vulnerability in Fortinet FortiAnalyzer 7.4.0 through 7.4.2, FortiAnalyzer 7.2.0 through 7.2.5, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 through 7.2.5, For... Read more
- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cryptography
-
6.0
MEDIUMCVE-2025-14762
Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's met... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cryptography
-
6.0
MEDIUMCVE-2025-14761
Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's meta... Read more
Affected Products : aws_software_development_kit- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cryptography
-
6.0
MEDIUMCVE-2025-66910
Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to optimize authentic... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
6.0
MEDIUMCVE-2025-14760
Missing cryptographic key commitment in the AWS SDK for C++ may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's meta... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cryptography
-
5.9
MEDIUMCVE-2025-62408
c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6.... Read more
Affected Products : c-ares- Published: Dec. 08, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Denial of Service
-
5.9
MEDIUMCVE-2025-41739
An unauthenticated remote attacker, who beats a race condition, can exploit a flaw in the communication servers of the CODESYS Control runtime system on Linux and QNX to trigger an out-of-bounds read via crafted socket communication, potentially causing a... Read more
- Published: Dec. 01, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Race Condition
-
5.9
MEDIUMCVE-2025-53960
When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password usin... Read more
Affected Products : streampark- Published: Dec. 12, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Cryptography