Latest CVE Feed
-
6.5
MEDIUMCVE-2025-68384
Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user set... Read more
Affected Products : elasticsearch- Published: Dec. 18, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-14117
A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor... Read more
Affected Products : halo- Published: Dec. 06, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Request Forgery
-
6.5
MEDIUMCVE-2025-13891
The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory res... Read more
Affected Products : modula_image_gallery- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-12035
An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic.... Read more
Affected Products : zephyr- Published: Dec. 15, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-14148
IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 could allow an authenticated user with LLM integration configuration privileges to recover a previously saved LLM API Token.... Read more
- Published: Dec. 15, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-14446
The Popup Builder (Easy Notify Lite) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the easynotify_cp_reset() function in all versions up to, and including, 1.1.37. This makes it possible for a... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-13683
Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0.... Read more
- Published: Nov. 28, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-68381
Improper Bounds Check (CWE-787) in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow (CAPEC-100) and reliably crash the application or cause significant resource exhaustion via a single crafted UDP packet with an invalid ... Read more
Affected Products : packetbeat- Published: Dec. 18, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-68383
Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebe... Read more
Affected Products : filebeat- Published: Dec. 18, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-67720
Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the download_media method before using them in file path construction. When downloading media, if t... Read more
Affected Products :- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-14780
A vulnerability was detected in Xiongwei Smart Catering Cloud Platform 2.1.6446.28761. The affected element is an unknown function of the file /dishtrade/dish_trade_detail_get. The manipulation of the argument filter results in sql injection. The attack c... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-68076
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Stockholm Core stockholm-core allows Stored XSS.This issue affects Stockholm Core: from n/a through <= 2.4.6.... Read more
Affected Products : stockholm_core- Published: Dec. 16, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-67735
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This lead... Read more
Affected Products : netty- Published: Dec. 16, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2024-2105
An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices.... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-15088
A vulnerability was detected in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is the function postilService.loadPostils of the file /je/postil/postil/loadPostil. Performing manipulation of the argument keyWord results in sql injection. Remote ex... Read more
Affected Products :- Published: Dec. 25, 2025
- Modified: Dec. 25, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-63035
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VibeThemes WPLMS wplms_plugin allows DOM-Based XSS.This issue affects WPLMS: from n/a through <= 1.9.9.5.4.... Read more
Affected Products : wordpress_learning_management_system_- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-12483
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'query' parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of suf... Read more
Affected Products : visualizer- Published: Dec. 02, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-68079
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Shortcodes salient-shortcodes allows Stored XSS.This issue affects Salient Shortcodes: from n/a through <= 1.5.4.... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-59935
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.... Read more
Affected Products : glpi- Published: Dec. 16, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-66058
Missing Authorization vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.3.17.... Read more
Affected Products : post_grid- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authorization