Latest CVE Feed
-
7.1
HIGHCVE-2025-62721
LinkAce is a self-hosted archive to collect website links. In versions 2.3.1 and below, authenticated RSS feed endpoints in the FeedController class fail to implement proper authorization checks, allowing any authenticated user to access all links, lists,... Read more
Affected Products : linkace- Published: Nov. 04, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Authorization
-
7.1
HIGHCVE-2025-61543
A Host Header Injection vulnerability exists in the password reset functionality of CraftMyCMS 4.0.2.2. The system uses `$_SERVER['HTTP_HOST']` directly to construct password reset links sent via email. An attacker can manipulate the Host header to send m... Read more
Affected Products :- Published: Oct. 16, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Injection
-
7.1
HIGHCVE-2025-49911
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Reflected XSS.This issue affects WooCommerce Vehicle Parts Finder: from n/a t... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-61907
Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authen... Read more
Affected Products : icinga- Published: Oct. 16, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Information Disclosure
-
7.1
HIGHCVE-2025-48098
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Survey Maker survey-maker allows Stored XSS.This issue affects Survey Maker: from n/a through <= 5.1.8.8.... Read more
Affected Products : survey_maker- Published: Oct. 22, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-37147
A Secure Boot Bypass Vulnerability exists in affected Access Points that allows an adversary to bypass the hardware root of trust verification in place to ensure only vendor-signed firmware can execute on the device. An adversary can exploit this vulnerab... Read more
Affected Products :- Published: Oct. 14, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Authentication
-
7.1
HIGHCVE-2025-48092
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jurajpuchky Fix Multiple Redirects fix-multiple-redirects allows Reflected XSS.This issue affects Fix Multiple Redirects: from n/a through <= 1.2.3.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-61136
A Host Header Injection vulnerability in the password reset component in axewater sharewarez v2.4.3 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) g... Read more
Affected Products :- Published: Oct. 23, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Misconfiguration
-
7.1
HIGHCVE-2025-62688
An incorrect permission assignment for a critical resource vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an attacker with low-privileged credentials to change their role, gaining full control access... Read more
- Published: Oct. 23, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Authorization
-
7.1
HIGHCVE-2025-62041
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem (Elementor) thegem-elementor.This issue affects TheGem (Elementor): from n/a through <= 5.10.5.1.... Read more
Affected Products :- Published: Nov. 06, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-62986
Cross-Site Request Forgery (CSRF) vulnerability in FanBridge FanBridge signup fanbridge-signup allows Stored XSS.This issue affects FanBridge signup: from n/a through <= 0.6.... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Cross-Site Request Forgery
-
7.1
HIGHCVE-2025-12636
The Ubia camera ecosystem fails to adequately secure API credentials, potentially enabling an attacker to connect to backend services. The attacker would then be able to gain unauthorized access to available cameras, enabling the viewing of live feeds ... Read more
Affected Products :- Published: Nov. 06, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Authentication
-
7.1
HIGHCVE-2025-61132
A Host Header Injection vulnerability in the password reset component in levlaz braindump v0.4.14 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) gen... Read more
Affected Products :- Published: Oct. 23, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Injection
-
7.1
HIGHCVE-2025-54721
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Resca resca allows Reflected XSS.This issue affects Resca: from n/a through <= 3.0.2.... Read more
Affected Products :- Published: Nov. 06, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-62720
LinkAce is a self-hosted archive to collect website links. Versions 2.3.1 and below allow any authenticated user to export the entire database of links from all users in the system, including private links that should only be accessible to their owners. T... Read more
Affected Products : linkace- Published: Nov. 04, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Authorization
-
7.1
HIGHCVE-2025-55670
On BIG-IP Next CNF, BIG-IP Next SPK, and BIG-IP Next for Kubernetes systems, repeated undisclosed API calls can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are no... Read more
- Published: Oct. 15, 2025
- Modified: Oct. 22, 2025
- Vuln Type: Denial of Service
-
7.0
HIGHCVE-2025-55691
Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.... Read more
- Published: Oct. 14, 2025
- Modified: Oct. 30, 2025
-
7.0
HIGHCVE-2025-7330
A cross-site request forgery security issue exists in the product and version listed. The vulnerability stems from missing CSRF checks on the impacted form. This allows for unintended configuration modification if an attacker can convince a logged in admi... Read more
- Published: Oct. 14, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Cross-Site Request Forgery
-
7.0
HIGHCVE-2025-55684
Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.... Read more
- Published: Oct. 14, 2025
- Modified: Oct. 27, 2025
-
7.0
HIGHCVE-2025-59282
Concurrent execution using shared resource with improper synchronization ('race condition') in Inbox COM Objects allows an unauthorized attacker to execute code locally.... Read more
Affected Products : windows_server_2008 windows_server_2012 windows_server_2016 windows_server_2019 windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_server_2022 windows_11_22h2 +10 more products- Published: Oct. 14, 2025
- Modified: Oct. 27, 2025