Latest CVE Feed
-
8.8
HIGHCVE-2025-14364
The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. Th... Read more
Affected Products : demo_importer_plus- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
8.8
HIGHCVE-2024-58281
Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload process by crafting a PHP shell with a command exe... Read more
Affected Products : dotclear- Published: Dec. 10, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2024-32642
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.... Read more
Affected Products : masacms- Published: Dec. 03, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Misconfiguration
-
8.8
HIGHCVE-2023-53933
Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbit... Read more
Affected Products : serendipity- Published: Dec. 17, 2025
- Modified: Dec. 24, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2023-53868
Coppermine Gallery 1.6.25 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the plugin manager. Attackers can upload a zipped PHP file with system commands to the plugin directory and ... Read more
Affected Products : coppermine_photo_gallery- Published: Dec. 15, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Misconfiguration
-
8.8
HIGHCVE-2025-56079
OS Command Injection vulnerability in Ruijie RG-EW1300G EW1300G V1.00/V2.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.... Read more
- Published: Dec. 11, 2025
- Modified: Dec. 26, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-65817
LSC Smart Connect Indoor IP Camera 1.4.13 contains a RCE vulnerability in start_app.sh.... Read more
Affected Products :- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-13214
IBM Aspera Orchestrator 4.0.0 through 4.1.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.... Read more
- Published: Dec. 11, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-68434
Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery (CSRF) vulnerability exists in the applicatio... Read more
Affected Products : open_source_point_of_sale- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cross-Site Request Forgery
-
8.8
HIGHCVE-2023-53900
Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through im... Read more
Affected Products : spip- Published: Dec. 16, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Misconfiguration
-
8.8
HIGHCVE-2025-67469
Cross-Site Request Forgery (CSRF) vulnerability in kubiq PDF Thumbnail Generator pdf-thumbnail-generator allows Cross Site Request Forgery.This issue affects PDF Thumbnail Generator: from n/a through <= 1.4.... Read more
Affected Products : pdf_thumbnail_generator- Published: Dec. 09, 2025
- Modified: Dec. 11, 2025
- Vuln Type: Cross-Site Request Forgery
-
8.8
HIGHCVE-2025-66429
An issue was discovered in cPanel 110 through 132. A directory traversal vulnerability within the Team Manager API allows for overwrite of an arbitrary file. This can allow for privilege escalation to the root user.... Read more
Affected Products : cpanel- Published: Dec. 11, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Path Traversal
-
8.8
HIGHCVE-2023-53776
Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to exploit weak session management by reusing IP-bound session identifiers. Attackers can issue unauthorized requests to the device management API by leveraging the... Read more
- Published: Dec. 10, 2025
- Modified: Jan. 02, 2026
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-12153
The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level acce... Read more
Affected Products :- Published: Dec. 05, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-13094
The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attack... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-44016
A vulnerability in TeamViewer DEX Client (former 1E client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to bypass file integrity validation via a crafted request. By providing a valid hash for a... Read more
Affected Products :- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Misconfiguration
-
8.8
HIGHCVE-2025-68586
Missing Authorization vulnerability in Gora Tech Cooked cooked allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cooked: from n/a through <= 1.11.2.... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Authorization
-
8.8
HIGHCVE-2024-58305
WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute... Read more
Affected Products : wondercms- Published: Dec. 12, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2025-66918
edoc-doctor-appointment-system v1.0.1 is vulnerable to Cross Site Scripting (XSS) in admin/add-session.php via the "title" parameter.... Read more
Affected Products : edoc-doctor-appointment-system- Published: Dec. 11, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2025-56082
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the check_changes in file /usr/lib/lua/luci/controller/admin/common.lua.... Read more
- Published: Dec. 11, 2025
- Modified: Dec. 26, 2025
- Vuln Type: Injection