Latest CVE Feed
-
6.5
MEDIUMCVE-2025-64235
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Tuturn allows Path Traversal.This issue affects Tuturn: from n/a before 3.6.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-63046
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro listingpro-plugin allows DOM-Based XSS.This issue affects ListingPro: from n/a through <= 2.9.9.... Read more
Affected Products : listingpro- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-63035
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VibeThemes WPLMS wplms_plugin allows DOM-Based XSS.This issue affects WPLMS: from n/a through <= 1.9.9.5.4.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-63061
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hogash Kallyas kallyas allows DOM-Based XSS.This issue affects Kallyas: from n/a through <= 4.22.0.... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-67538
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews Gallery jnews-gallery allows Stored XSS.This issue affects JNews Gallery: from n/a through < 12.0.1.... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-55311
An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. A crafted PDF can use JavaScript to alter annotation content and subsequently clear the file's modification status via JavaScript interfaces. This ci... Read more
- Published: Dec. 11, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-15088
A vulnerability was detected in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is the function postilService.loadPostils of the file /je/postil/postil/loadPostil. Performing manipulation of the argument keyWord results in sql injection. Remote ex... Read more
Affected Products :- Published: Dec. 25, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-67546
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs WP ERP erp allows Retrieve Embedded Sensitive Data.This issue affects WP ERP: from n/a through <= 1.16.6.... Read more
Affected Products : wp_erp- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-66202
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the ori... Read more
Affected Products : astro- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2025-63063
Missing Authorization vulnerability in Yandex Metrika Yandex.Metrica wp-yandex-metrika allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yandex.Metrica: from n/a through <= 1.2.2.... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Authorization
-
6.4
MEDIUMCVE-2025-68145
In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did not validate that repo_path arguments in subsequent tool calls were actually within that con... Read more
Affected Products :- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Path Traversal
-
6.4
MEDIUMCVE-2025-13401
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attribute... Read more
Affected Products : autoptimize- Published: Dec. 03, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-67845
A Directory Traversal vulnerability in the Static Asset Proxy Endpoint in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via a crafted URL containing path traversal sequences.... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Path Traversal
-
6.4
MEDIUMCVE-2025-13899
The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-13863
The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `token` parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated atta... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-11747
The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the colibri_blog_posts shortcode in all versions up to, and including, 1.0.345 due to insufficient input sanitization and output escaping on user supplied attri... Read more
Affected Products : colibri_page_builder- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2021-47738
CSZ CMS 1.2.7 contains a persistent cross-site scripting vulnerability that allows unauthorized users to embed malicious JavaScript in private messages. Attackers can send messages with script payloads in the user-agent header, which will execute when an ... Read more
Affected Products : csz_cms- Published: Dec. 23, 2025
- Modified: Dec. 31, 2025
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-68917
ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer.... Read more
Affected Products : document_server- Published: Dec. 24, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-13739
The CryptX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `cryptx` shortcode in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes... Read more
Affected Products :- Published: Dec. 05, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-13857
The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter of the webclap_button shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output es... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Cross-Site Scripting