Latest CVE Feed
-
5.1
MEDIUMCVE-2025-64781
In GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1, "External page display restriction" is set to "Do not limit" in the initial configuration. With this configuration, the user m... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Misconfiguration
-
5.1
MEDIUMCVE-2025-64700
Cross-site request forgery vulnerability exists in GROWI v7.3.3 and earlier. If a user views a malicious page while logged in, the user may be tricked to do unintended operations.... Read more
Affected Products : growi- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cross-Site Request Forgery
-
5.1
MEDIUMCVE-2025-40700
Reflected Cross-Site Scripting (XSS) in IDI Eikon's Governalia. The vulnerability allows an attacker to execute JavaScript code in the victim's browser when a malicious URL with the 'q' parameter in '/search' is sent to them. This vulnerability can be exp... Read more
Affected Products : governalia- Published: Dec. 02, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Cross-Site Scripting
-
5.1
MEDIUMCVE-2025-65842
The Aquarius HelperTool (1.0.003) privileged XPC service on macOS contains multiple flaws that allow local privilege escalation. The service accepts XPC connections from any local process without validating the client's identity, and its authorization log... Read more
Affected Products : aquarius_helpertool- Published: Dec. 03, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
5.1
MEDIUMCVE-2025-6349
Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU memory processing operations to gain access to already freed memory.Th... Read more
- Published: Dec. 01, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Memory Corruption
-
5.1
MEDIUMCVE-2019-25242
FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new adm... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 24, 2025
- Vuln Type: Cross-Site Request Forgery
-
5.1
MEDIUMCVE-2025-11009
Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GT Designer3 Version1 (GOT2000) all versions and Mitsubishi Electric GT Designer3 Version1 (GOT1000) all versions allows a local unauthenticated attacker to obtain plaintext c... Read more
Affected Products : gt_designer3- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
5.1
MEDIUMCVE-2018-25149
Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify sy... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 24, 2025
- Vuln Type: Cross-Site Request Forgery
-
5.1
MEDIUMCVE-2023-53906
projectSend r1605 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. Attackers can craft a JavaScript payload in the custom assets sect... Read more
Affected Products : projectsend- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cross-Site Scripting
-
5.1
MEDIUMCVE-2023-53870
Jorani 1.0.3 contains a reflected cross-site scripting vulnerability in the language parameter that allows attackers to inject malicious scripts. Attackers can craft XSS payloads in the language parameter to execute arbitrary JavaScript and potentially st... Read more
Affected Products : jorani- Published: Dec. 15, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Cross-Site Scripting
-
5.1
MEDIUMCVE-2025-34430
1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the panel name management functionality. The affected endpoint does not implement CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An a... Read more
Affected Products : 1panel- Published: Dec. 10, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Request Forgery
-
5.0
MEDIUMCVE-2025-67461
External control of file name or path in Zoom Rooms for macOS before version 6.6.0 may allow an authenticated user to conduct a disclosure of information via local access.... Read more
Affected Products : rooms- Published: Dec. 10, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Path Traversal
-
5.0
MEDIUMCVE-2025-66407
Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to ... Read more
Affected Products : weblate- Published: Dec. 16, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Server-Side Request Forgery
-
5.0
MEDIUMCVE-2025-36360
IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcem... Read more
Affected Products : urbancode_deploy devops_deploy ucd___ibm_devops_deploy ucd___ibm_urbancode_deploy- Published: Dec. 15, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Race Condition
-
5.0
MEDIUMCVE-2025-66370
Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.... Read more
Affected Products :- Published: Nov. 28, 2025
- Modified: Dec. 01, 2025
- Vuln Type: XML External Entity
-
5.0
MEDIUMCVE-2025-14606
A security vulnerability has been detected in tiny-rdm Tiny RDM up to 1.2.5. Affected by this vulnerability is the function pickle.loads of the file pickle_convert.go of the component Pickle Decoding. The manipulation leads to deserialization. The attack ... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Injection
-
5.0
MEDIUMCVE-2025-64631
Missing Authorization vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Marketplace: from n/a through <= 3.6.15.... Read more
Affected Products : wcfm_marketplace- Published: Dec. 16, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Authorization
-
5.0
MEDIUMCVE-2025-66432
In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date.... Read more
Affected Products :- Published: Nov. 30, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authentication
-
5.0
MEDIUMCVE-2025-66371
Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host.... Read more
Affected Products :- Published: Nov. 28, 2025
- Modified: Dec. 01, 2025
- Vuln Type: XML External Entity
-
5.0
MEDIUMCVE-2025-67844
The GitHub Integration API in Mintlify Platform before 2025-11-15 allows remote attackers to obtain sensitive repository metadata via the repository owner and name fields. It fails to validate that the repository owner and name fields provided during conf... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Information Disclosure