Latest CVE Feed
-
9.8
CRITICALCVE-2024-14010
Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remot... Read more
Affected Products : typora- Published: Dec. 12, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2024-58314
Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' p... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Injection
-
4.6
MEDIUMCVE-2025-67634
The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the ... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
6.3
MEDIUMCVE-2025-8082
Improper neutralization of the title date in the 'VDatePicker' component in Vuetify, allows unsanitized HTML to be inserted into the page. This can lead to a Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss attack. The vulnerabilit... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-0969
The Brizy – Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.16 via the get_users() function. This makes it possible for authenticated attackers, with Contributor-level access and ... Read more
Affected Products : brizy- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Information Disclosure
-
9.4
CRITICALCVE-2025-36752
Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively b... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authentication
-
9.4
CRITICALCVE-2025-36747
ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Misconfiguration
-
6.4
MEDIUMCVE-2025-9856
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input s... Read more
Affected Products : popup_builder- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2025-12696
The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them... Read more
Affected Products :- Published: Dec. 14, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authentication
-
4.8
MEDIUMCVE-2025-14698
A weakness has been identified in atlaszz AI Photo Team Galleryit App 1.3.8.2 on Android. This affects an unknown part of the component gallery.photogallery.pictures.vault.album. This manipulation causes path traversal. The attack needs to be launched loc... Read more
Affected Products :- Published: Dec. 15, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Path Traversal
-
7.0
HIGHCVE-2025-14693
A vulnerability has been found in Ugreen DH2100+ up to 5.3.0. This affects an unknown function of the component USB Handler. Such manipulation leads to symlink following. The attack can be executed directly on the physical device. The exploit has been dis... Read more
Affected Products :- Published: Dec. 15, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Path Traversal
-
6.4
MEDIUMCVE-2025-12537
The Addon Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.14.3. This is due to insufficient input sanitization and output escaping on multiple widget parameters. This makes i... Read more
Affected Products :- Published: Dec. 14, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
8.7
HIGHCVE-2025-13824
A security issue exists due to improper handling of malformed CIP packets during fuzzing. The controller enters a hard fault with solid red Fault LED and becomes unresponsive. Upon power cycle, the controller will enter recoverable fault where the MS LED ... Read more
Affected Products :- Published: Dec. 15, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Denial of Service
-
6.4
MEDIUMCVE-2025-8617
The YITH WooCommerce Quick View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yith_quick_view shortcode in all versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping on user sup... Read more
Affected Products : yith_woocommerce_quick_view- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2025-11707
The Login Lockdown & Protection plugin for WordPress is vulnerable to IP Block Bypass in all versions up to, and including, 2.14. This is due to $unblock_key key being insufficiently random allowing unauthenticated users, with access to an administrative ... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2025-14156
The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the `/fox-lms/v... Read more
Affected Products :- Published: Dec. 15, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authentication
-
6.4
MEDIUMCVE-2025-13728
The FluentAuth – The Ultimate Authorization & Security Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fluent_auth_reset_password` shortcode in all versions up to, and including, 2.0.3 due to insuff... Read more
Affected Products : fluentauth- Published: Dec. 15, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
4.7
MEDIUMCVE-2025-14451
The Solutions Ad Manager plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.0.0. This is due to insufficient validation on the redirect URL supplied via the 'sam-redirect-to' parameter. This makes it possible for u... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Misconfiguration
-
8.1
HIGHCVE-2025-67900
NXLog Agent before 6.11 can load a file specified by the OPENSSL_CONF environment variable.... Read more
Affected Products :- Published: Dec. 14, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Misconfiguration
-
5.3
MEDIUMCVE-2025-67901
openrsync through 0.5.0, as used in OpenBSD through 7.8 and on other platforms, allows a client to cause a server SIGSEGV by specifying a length of zero for block data, because the relationship between p->rem and p->len is not checked.... Read more
Affected Products :- Published: Dec. 15, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Memory Corruption