Latest CVE Feed
-
8.8
HIGHCVE-2025-56086
OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.... Read more
- Published: Dec. 11, 2025
- Modified: Dec. 26, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-56096
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the restart_modules in file /usr/lib/lua/luci/controller/admin/common.lua.... Read more
- Published: Dec. 11, 2025
- Modified: Dec. 26, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-68645
A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craf... Read more
Affected Products : collaboration- Published: Dec. 22, 2025
- Modified: Jan. 02, 2026
- Vuln Type: Path Traversal
-
8.8
HIGHCVE-2025-56082
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the check_changes in file /usr/lib/lua/luci/controller/admin/common.lua.... Read more
- Published: Dec. 11, 2025
- Modified: Dec. 26, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-56107
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the submit_wifi in file /usr/lib/lua/luci/controller/admin/common_quick_config.lua.... Read more
- Published: Dec. 11, 2025
- Modified: Dec. 26, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-64254
Missing Authorization vulnerability in Ronald Huereca Photo Block photo-block allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Block: from n/a through <= 1.5.1.... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 11, 2025
- Vuln Type: Authorization
-
8.8
HIGHCVE-2025-13214
IBM Aspera Orchestrator 4.0.0 through 4.1.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.... Read more
- Published: Dec. 11, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2023-53964
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated vulnerability in the /usr/cgi-bin/restorefactory.cgi endpoint that allows remote attackers to reset device configuration. Attackers can send a POST request to the endpoint with specific data t... Read more
Affected Products : stream- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-66429
An issue was discovered in cPanel 110 through 132. A directory traversal vulnerability within the Team Manager API allows for overwrite of an arbitrary file. This can allow for privilege escalation to the root user.... Read more
Affected Products : cpanel- Published: Dec. 11, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Path Traversal
-
8.8
HIGHCVE-2025-26866
A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to h... Read more
Affected Products : hugegraph- Published: Dec. 12, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-56077
OS Command Injection vulnerability in Ruijie RG-RAP2200(E) 247 2200 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.... Read more
- Published: Dec. 11, 2025
- Modified: Dec. 26, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-13094
The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attack... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authentication
-
8.8
HIGHCVE-2024-5401
Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote ... Read more
- Published: Dec. 04, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Authorization
-
8.8
HIGHCVE-2025-12189
The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonc... Read more
Affected Products : bread_and_butter- Published: Dec. 05, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Cross-Site Request Forgery
-
8.8
HIGHCVE-2025-44016
A vulnerability in TeamViewer DEX Client (former 1E client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to bypass file integrity validation via a crafted request. By providing a valid hash for a... Read more
Affected Products :- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Misconfiguration
-
8.8
HIGHCVE-2021-47735
CMSimple 5.4 contains an authenticated remote code execution vulnerability that allows logged-in attackers to inject malicious PHP code into template files. Attackers can exploit the template editing functionality by crafting a reverse shell payload and s... Read more
Affected Products : cmsimple- Published: Dec. 23, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2023-53868
Coppermine Gallery 1.6.25 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the plugin manager. Attackers can upload a zipped PHP file with system commands to the plugin directory and ... Read more
Affected Products : coppermine_photo_gallery- Published: Dec. 15, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Misconfiguration
-
8.8
HIGHCVE-2024-58305
WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute... Read more
Affected Products : wondercms- Published: Dec. 12, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2025-46268
Advantech WebAccess/SCADA is vulnerable to SQL injection, which may allow an attacker to execute arbitrary SQL commands.... Read more
Affected Products : webaccess\/scada- Published: Dec. 18, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-14364
The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. Th... Read more
Affected Products : demo_importer_plus- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization