Latest CVE Feed
-
6.5
MEDIUMCVE-2025-9637
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3... Read more
Affected Products : quiz_and_survey_master- Published: Jan. 06, 2026
- Modified: Jan. 09, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-36366
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.... Read more
Affected Products : db2- Published: Jan. 30, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-14153
The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack ... Read more
Affected Products :- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-36001
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion... Read more
Affected Products : db2- Published: Jan. 30, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2024-31088
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPShop.Ru AdsPlace'r – Ad Manager, Inserter, AdSense Ads allows DOM-Based XSS.This issue affects AdsPlace'r – Ad Manager, Inserter, AdSense Ads: f... Read more
Affected Products :- Published: Jan. 06, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-69357
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows Stored XSS.This issue affects TheGem Theme Elements (for Elementor): f... Read more
Affected Products :- Published: Jan. 06, 2026
- Modified: Jan. 20, 2026
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2026-0683
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied... Read more
Affected Products : supportcandy- Published: Jan. 31, 2026
- Modified: Jan. 31, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-69351
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4.... Read more
Affected Products : ninja_tables- Published: Jan. 06, 2026
- Modified: Jan. 20, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-14901
The Bit Form – Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce ve... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2019-25295
The WP Cost Estimation plugin for WordPress is vulnerable to Upload Directory Traversal in versions before 9.660 via the uploadFormFiles function. This allows attackers to overwrite any file with a whitelisted type on an affected site.... Read more
Affected Products :- Published: Jan. 08, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-13679
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible ... Read more
Affected Products : tutor_lms- Published: Jan. 08, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-69334
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Wishlist for WooCommerce wish-list-for-woocommerce allows Stored XSS.This issue affects Wishlist for WooCommerce: from n/a through <= 3.3.0.... Read more
Affected Products :- Published: Jan. 06, 2026
- Modified: Jan. 20, 2026
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-12573
The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data.... Read more
Affected Products :- Published: Jan. 20, 2026
- Modified: Jan. 26, 2026
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-46645
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through ... Read more
Affected Products :- Published: Jan. 09, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-67810
In Area9 Rhapsode 1.47.3, an authenticated attacker can exploit the operation, url, and filename parameters via POST request to read arbitrary files from the server filesystem. Fixed in 1.47.4 (#7254) and further versions.... Read more
Affected Products :- Published: Jan. 09, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-51626
SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancel_order.php endpoint.... Read more
Affected Products : pss.sale.com- Published: Jan. 09, 2026
- Modified: Jan. 22, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2026-0843
A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql inj... Read more
Affected Products :- Published: Jan. 11, 2026
- Modified: Jan. 13, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2026-21885
Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generat... Read more
Affected Products : miniflux- Published: Jan. 08, 2026
- Modified: Jan. 12, 2026
- Vuln Type: Server-Side Request Forgery
-
6.5
MEDIUMCVE-2025-67261
Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page.... Read more
Affected Products : retail_point_of_sale- Published: Jan. 20, 2026
- Modified: Jan. 30, 2026
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-68471
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.... Read more
Affected Products : avahi- Published: Jan. 12, 2026
- Modified: Jan. 16, 2026
- Vuln Type: Denial of Service