Latest CVE Feed
-
6.5
MEDIUMCVE-2025-66100
Missing Authorization vulnerability in Magnigenie RestroPress restropress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through <= 3.2.3.5.... Read more
Affected Products : restropress- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-10019
Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60... Read more
Affected Products : contact_form_email- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-66388
A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to... Read more
Affected Products : airflow- Published: Dec. 15, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-68383
Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebe... Read more
Affected Products : filebeat- Published: Dec. 18, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-65345
alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The zip/archiving functionality allows an attacker to create archives containing files and directories outside the intended scope due to improper path validation.... Read more
Affected Products : laravel_file_manager- Published: Dec. 03, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2024-40317
A reflected cross-site scripting (XSS) vulnerability in MyNET up to v26.08 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter HTTP.... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-14607
A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue is the function DcmByteString::makeDicomByteString of the file dcmdata/libsrc/dcbytstr.cc of the component dcmdata. The manipulation results in memory corruption. The attack c... Read more
Affected Products : dcmtk- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-14908
A security flaw has been discovered in JeecgBoot up to 3.9.0. The affected element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java of the compone... Read more
Affected Products : jeecgboot- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2025-12960
The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in the `[csv]` shortcode. This is due to insufficient path validation before concatenating user-supplied in... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-13891
The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory res... Read more
Affected Products : modula_image_gallery- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-43511
A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.2. Processing maliciously crafted web content may... Read more
- Published: Dec. 12, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-68389
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP ... Read more
Affected Products : kibana- Published: Dec. 18, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-14184
A vulnerability was determined in SGAI Space1 NAS N1211DS up to 1.0.915. Impacted is the function RENAME_FILE/OPERATE_FILE/NGNIX_UPLOAD of the file /cgi-bin/JSONAPI of the component gsaiagent. This manipulation causes command injection. The attack may be ... Read more
Affected Products :- Published: Dec. 07, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-68143
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without val... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-64997
Insufficient permission validation in Checkmk versions prior to 2.4.0p17 and 2.3.0p42 allow low-privileged users to view agent information via the REST API, which could lead to information disclosure.... Read more
Affected Products : checkmk- Published: Dec. 18, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-62473
Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.... Read more
Affected Products : windows_server_2008 windows_server_2012 windows_server_2016 windows_server_2019 windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_server_2022 windows_11_23h2 +8 more products- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
-
6.5
MEDIUMCVE-2024-2105
An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices.... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-67743
Local Deep Research is an AI-powered research assistant for deep, iterative research. In versions from 1.3.0 to before 1.3.9, the download service (download_service.py) makes HTTP requests using raw requests.get() without utilizing the application's SSRF ... Read more
Affected Products : local_deep_research- Published: Dec. 23, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Server-Side Request Forgery
-
6.5
MEDIUMCVE-2025-68431
libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (l... Read more
Affected Products :- Published: Dec. 29, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-14178
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due ... Read more
Affected Products : php- Published: Dec. 27, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Memory Corruption