Latest CVE Feed
-
10.0
CVSS31CVE-2025-24865
The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password.... Read more
Affected Products :- Published: Feb. 13, 2025
- Modified: Feb. 13, 2025
-
9.9
CVSS31CVE-2025-22630
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in MarketingFire Widget Options allows OS Command Injection.This issue affects Widget Options: from n/a through 4.1.0.... Read more
Affected Products :- Published: Feb. 14, 2025
- Modified: Feb. 14, 2025
-
9.9
CVSS31CVE-2024-10960
The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with ... Read more
Affected Products : brizy- Published: Feb. 12, 2025
- Modified: Feb. 12, 2025
-
9.8
CVSS31CVE-2025-25067
mySCADA myPRO Manager is vulnerable to an OS command injection which could allow a remote attacker to execute arbitrary OS commands.... Read more
Affected Products :- Published: Feb. 13, 2025
- Modified: Feb. 13, 2025
-
9.8
CVSS31CVE-2024-13182
The WP Directorybox Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_parse_request' function. This makes it possible for unauthenticated at... Read more
Affected Products :- Published: Feb. 13, 2025
- Modified: Feb. 13, 2025
-
9.8
CVSS31CVE-2025-26341
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests.... Read more
Affected Products :- Published: Feb. 12, 2025
- Modified: Feb. 12, 2025
-
9.8
CVSS31CVE-2025-25388
A SQL Injection vulnerability was found in /admin/edit-propertytype.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the editid GET request parameter.... Read more
Affected Products :- Published: Feb. 13, 2025
- Modified: Feb. 13, 2025
-
9.8
CVSS31CVE-2025-26347
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests.... Read more
Affected Products :- Published: Feb. 12, 2025
- Modified: Feb. 12, 2025
-
9.8
CVSS31CVE-2025-26345
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests.... Read more
Affected Products :- Published: Feb. 12, 2025
- Modified: Feb. 12, 2025
-
9.8
CVSS31CVE-2024-10763
The Campress theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.35 via the 'campress_woocommerce_get_ajax_products' function. This makes it possible for unauthenticated attackers to include and execute arbitr... Read more
Affected Products :- Published: Feb. 13, 2025
- Modified: Feb. 13, 2025
-
9.8
CVSS31CVE-2025-26339
A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multip... Read more
Affected Products :- Published: Feb. 12, 2025
- Modified: Feb. 12, 2025
-
9.8
CVSS31CVE-2024-12213
The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.76. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated... Read more
Affected Products :- Published: Feb. 12, 2025
- Modified: Feb. 12, 2025
-
9.8
CVSS31CVE-2025-0896
Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.... Read more
Affected Products :- Published: Feb. 13, 2025
- Modified: Feb. 13, 2025
-
9.8
CVSS31CVE-2025-26359
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests.... Read more
Affected Products :- Published: Feb. 12, 2025
- Modified: Feb. 12, 2025
-
9.8
CVSS31CVE-2025-1100
A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root privileges via SSH.... Read more
Affected Products :- Published: Feb. 12, 2025
- Modified: Feb. 12, 2025
-
9.8
CVSS31CVE-2024-13365
The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function in all versions up t... Read more
Affected Products : security_\&_malware_scan- Published: Feb. 12, 2025
- Modified: Feb. 12, 2025
-
9.8
CVSS31CVE-2025-26342
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HT... Read more
Affected Products :- Published: Feb. 12, 2025
- Modified: Feb. 12, 2025
-
9.8
CVSS31CVE-2025-25286
Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. T... Read more
Affected Products :- Published: Feb. 13, 2025
- Modified: Feb. 13, 2025
-
9.8
CVSS31CVE-2025-26344
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests.... Read more
Affected Products :- Published: Feb. 12, 2025
- Modified: Feb. 12, 2025
-
9.8
CVSS31CVE-2025-1283
The Dingtian DT-R0 Series is vulnerable to an exploit that allows attackers to bypass login requirements by directly navigating to the main page.... Read more
Affected Products :- Published: Feb. 13, 2025
- Modified: Feb. 13, 2025