Latest CVE Feed
-
6.4
MEDIUMCVE-2025-11376
The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_loop' shortcode in all versions up to, and including, 1.0.335 due to insufficient input sanitization and output escaping on user supplied ... Read more
Affected Products : colibri_page_builder- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
8.5
HIGHCVE-2025-36750
ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTML payload will be displayed on the plant management page via a direct post. This may allow attackers to force a legitimate user’s browser’s JavaScript engi... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
9.4
CRITICALCVE-2025-36751
Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint.... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cryptography
-
8.8
HIGHCVE-2025-13094
The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attack... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2025-14674
A vulnerability was found in aizuda snail-job up to 1.6.0. Affected by this vulnerability is the function QLExpressEngine.doEval of the file snail-job-common/snail-job-common-core/src/main/java/com/aizuda/snailjob/common/core/expression/strategy/QLExpress... Read more
Affected Products : snail-job- Published: Dec. 14, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Injection
-
5.3
MEDIUMCVE-2025-12696
The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them... Read more
Affected Products :- Published: Dec. 14, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authentication
-
6.4
MEDIUMCVE-2025-14387
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attack... Read more
Affected Products : learnpress- Published: Dec. 15, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
8.6
HIGHCVE-2025-36753
The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to attain debug access to the device and to extracting secrets or domains from within the device... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Information Disclosure
-
9.4
CRITICALCVE-2025-36752
Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively b... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-14174
Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)... Read more
Affected Products : linux_kernel chrome macos iphone_os tvos watchos safari windows ipados edge_chromium +1 more products- Actively Exploited
- Published: Dec. 12, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Memory Corruption