Latest CVE Feed
-
6.5
MEDIUMCVE-2025-62949
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev Activity Plus Reloaded for BuddyPress bp-activity-plus-reloaded allows Stored XSS.This issue affects Activity Plus Reloaded for BuddyPress: from... Read more
Affected Products : activity_plus_reloaded_for_buddypress- Published: Oct. 27, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-57563
A path traversal in StarNet Communications Corporation FastX v.4 through v4.1.51 allows unauthenticated attackers to read arbitrary files.... Read more
Affected Products :- Published: Oct. 14, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-60540
karakeep v0.26.0 to v0.7.0 was discovered to contain a Server-Side Request Forgery (SSRF).... Read more
Affected Products :- Published: Oct. 14, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Server-Side Request Forgery
-
6.5
MEDIUMCVE-2025-6601
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.3, and 18.5 before 18.5.1 that under certain conditions could have allowed authenticated users to gain unauthorized project access by exploiting the access request ap... Read more
Affected Products : gitlab- Published: Oct. 27, 2025
- Modified: Oct. 28, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-8048
External Control of File Name or Path vulnerability in opentext Flipper allows Path Traversal. The vulnerability could allow a user to submit a stored local file path and then download the specified file from the system by requesting the stored document I... Read more
Affected Products : flipper- Published: Oct. 20, 2025
- Modified: Oct. 28, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-50949
FontForge v20230101 was discovered to contain a memory leak via the component DlgCreate8.... Read more
- Published: Oct. 23, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-61330
A hard-coded weak password vulnerability has been discovered in all Magic-branded devices from Chinese network equipment manufacturer H3C. The vulnerability stems from the use of a hard-coded weak password for the root account in the /etc/shadow configura... Read more
Affected Products :- Published: Oct. 16, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2025-61759
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure whe... Read more
Affected Products : vm_virtualbox- Published: Oct. 21, 2025
- Modified: Oct. 23, 2025
-
6.5
MEDIUMCVE-2025-12329
A security flaw has been discovered in shawon100 RUET OJ up to 18fa45b0a669fa1098a0b8fc629cf6856369d9a5. The affected element is an unknown function of the file /details.php. Performing manipulation of the argument ID results in sql injection. Remote expl... Read more
Affected Products : ruet_oj- Published: Oct. 27, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-61430
Improper handling of DNS over TCP in Simple DNS Plus v9 allows a remote attacker with querying access to the DNS server to cause the server to return request payloads from other clients. This happens when the TCP length prefix is malformed (len differs fr... Read more
Affected Products :- Published: Oct. 24, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-12222
A security vulnerability has been detected in Bdtask Flight Booking Software up to 3.1. Affected by this issue is some unknown functionality of the file /admin/transaction/deposit of the component Deposit Handler. The manipulation leads to unrestricted up... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-58970
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in AmentoTech Doctreat doctreat allows Code Injection.This issue affects Doctreat: from n/a through <= 1.6.7.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-34272
In Nagios Log Server versions prior to 2024R2.0.3, when a user's configured default dashboard is deleted, the application does not reliably fall back to an empty, default dashboard. In some implementations this can result in an unexpected dashboard being ... Read more
Affected Products : log_server- Published: Oct. 30, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-60852
A CSV Injection vulnerability existed in Instant Developer Foundation versions prior to 25.0.9600. Applications built with affected versions of the framework did not properly sanitize user-controlled input before including it in CSV exports. This issue co... Read more
Affected Products :- Published: Oct. 23, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-49939
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrocoBlock JetElements For Elementor jet-elements allows Stored XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.8.... Read more
Affected Products : jetelements_for_elementor- Published: Oct. 22, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-61464
gnuboard gnuboard4 v4.36.04 and before is vulnerable to Second-order SQL Injection via the search_table in bbs/search.php.... Read more
Affected Products : gnuboard- Published: Oct. 23, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-12266
A vulnerability was detected in Zytec Dalian Zhuoyun Technology Central Authentication Service up to 20251009. This vulnerability affects the function _empty of the file /index.php/auth/widget. Performing manipulation of the argument get.layer/get.widget/... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-6239
Zohocorp ManageEngine Applications Manager versions 176800 and below are vulnerable to information disclosure in File/Directory monitor.... Read more
Affected Products : manageengine_applications_manager- Published: Oct. 21, 2025
- Modified: Oct. 24, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-61540
SQL injection vulnerability in Ultimate PHP Board 2.2.7 via the username field in lostpassword.php.... Read more
Affected Products : ultimate_php_board- Published: Oct. 16, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-0277
HCL BigFix Mobile 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.... Read more
- Published: Oct. 16, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Misconfiguration