Latest CVE Feed
-
9.9
CRITICALCVE-2025-64721
Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.6 and below, the SYSTEM-level service SbieSvc.exe exposes SbieIniServer::RC4Crypt to sandboxed processes. The handler adds a fixed h... Read more
Affected Products : sandboxie- Published: Dec. 11, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Memory Corruption
-
9.1
CRITICALCVE-2025-65548
NUT-14 allows cashu tokens to be created with a preimage hash. However, nutshell (cashubtc/nuts) before 0.18.0 do not validate the size of preimage when the token is spent. The preimage is stored by the mint and attacker can exploit this vulnerability to ... Read more
- Published: Dec. 08, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Denial of Service
-
8.1
HIGHCVE-2025-14016
A security vulnerability has been detected in macrozheng mall-swarm up to 1.0.3. Affected is the function delete of the file /member/readHistory/delete. Such manipulation of the argument ids leads to improper authorization. The attack can be executed remo... Read more
Affected Products : mall-swarm- Published: Dec. 04, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2025-13646
The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level... Read more
Affected Products : modula_image_gallery- Published: Dec. 03, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Race Condition
-
7.2
HIGHCVE-2025-13645
The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author... Read more
Affected Products : modula_image_gallery- Published: Dec. 03, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2025-63362
Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to set the Administrator password and username as blank values, allowing attackers to bypass authentication.... Read more
- Published: Dec. 04, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authentication
-
5.7
MEDIUMCVE-2025-63361
Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to render the Administrator password in plaintext.... Read more
- Published: Dec. 04, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Information Disclosure
-
7.1
HIGHCVE-2025-13353
In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is... Read more
Affected Products : gokey- Published: Dec. 02, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cryptography
-
8.8
HIGHCVE-2025-14174
Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)... Read more
Affected Products : linux_kernel chrome macos iphone_os tvos watchos safari windows ipados edge_chromium +1 more products- Actively Exploited
- Published: Dec. 12, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Memory Corruption
-
8.8
HIGHCVE-2025-36072
IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of unt... Read more
Affected Products : webmethods_integration- Published: Nov. 20, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Memory Corruption
-
5.5
MEDIUMCVE-2025-64524
cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. In versions 2.0.1 and prior, a heap-buffer-overflow vulnerability in the rastertopclx filter causes the pr... Read more
- Published: Nov. 20, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Memory Corruption
-
8.3
HIGHCVE-2025-9624
A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions between 3.0.0 and < 3.3.0 and OpenSearch < 2.19.4.... Read more
- Published: Nov. 25, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Denial of Service
-
9.8
CRITICALCVE-2025-59693
The Chassis Management Board in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allows a physically proximate attacker to obtain debug access and escalate privileges by bypassing the tamper label and opening the chassis ... Read more
- Published: Dec. 02, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authentication
-
6.8
MEDIUMCVE-2025-59694
The Chassis Management Board in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allows a physically proximate attacker to persistently modify firmware and influence the (insecurely configured) appliance boot process. To ... Read more
- Published: Dec. 02, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Misconfiguration
-
9.8
CRITICALCVE-2025-59695
Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a user with OS root access to alter firmware on the Chassis Management Board (without Authentication). This is called F04.... Read more
- Published: Dec. 02, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authentication
-
5.5
MEDIUMCVE-2025-62468
Out-of-bounds read in Windows Defender Firewall Service allows an authorized attacker to disclose information locally.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
-
8.7
HIGHCVE-2024-58304
SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in ... Read more
Affected Products :- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2025-62549
Untrusted pointer dereference in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.... Read more
Affected Products : windows_server_2008 windows_server_2012 windows_server_2016 windows_server_2019 windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_server_2022 windows_11_23h2 +8 more products- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
-
7.8
HIGHCVE-2025-62474
Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.... Read more
Affected Products : windows_server_2008 windows_server_2012 windows_server_2016 windows_server_2019 windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_server_2022 windows_11_23h2 +7 more products- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
-
6.5
MEDIUMCVE-2025-62473
Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.... Read more
Affected Products : windows_server_2008 windows_server_2012 windows_server_2016 windows_server_2019 windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_server_2022 windows_11_23h2 +8 more products- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025