Latest CVE Feed
-
5.3
MEDIUMCVE-2025-11072
The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files.... Read more
Affected Products :- Published: Nov. 05, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Path Traversal
-
5.3
MEDIUMCVE-2025-12676
The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This mak... Read more
Affected Products :- Published: Nov. 05, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-12468
The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.4.1 via the '/wc-coupons/' REST API endpoint. This is... Read more
Affected Products : funnelkit_automations- Published: Nov. 05, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-11271
The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_overr... Read more
Affected Products : easy_digital_downloads- Published: Nov. 06, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Authentication
-
5.3
MEDIUMCVE-2025-54333
An issue was discovered in NPU in Samsung Mobile Processor Exynos 1380 through July 2025. There is an Invalid Pointer Dereference of node in the get_vs4l_profiler_node function.... Read more
- Published: Nov. 04, 2025
- Modified: Nov. 07, 2025
- Vuln Type: Memory Corruption
-
5.3
MEDIUMCVE-2025-64327
ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery (SSRF) vulnerability, in its `/api/ping?url= endpoint`. This allows an attacker to make arbitrary... Read more
Affected Products :- Published: Nov. 06, 2025
- Modified: Nov. 12, 2025
- Vuln Type: Server-Side Request Forgery
-
5.3
MEDIUMCVE-2025-25236
Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-st... Read more
Affected Products :- Published: Nov. 12, 2025
- Modified: Nov. 14, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-58189
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.... Read more
Affected Products : go- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-64753
grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if t... Read more
Affected Products : grist-core- Published: Nov. 13, 2025
- Modified: Nov. 14, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-61795
Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately bu... Read more
Affected Products : tomcat- Published: Oct. 27, 2025
- Modified: Nov. 14, 2025
- Vuln Type: Denial of Service
-
5.3
MEDIUMCVE-2025-10579
The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in all versions up to, and including, 5.5.0. This makes it possible ... Read more
Affected Products : backwpup- Published: Oct. 25, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-11760
The eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin for WordPress is vulnerable to exposure of sensitive information in all versions up to, and including, 1.5.6. This is due to the plugin exposing Zoom SDK secret keys in cli... Read more
Affected Products :- Published: Oct. 25, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-47912
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http... Read more
Affected Products : go- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Misconfiguration
-
5.3
MEDIUMCVE-2025-62396
An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.... Read more
Affected Products : moodle- Published: Oct. 23, 2025
- Modified: Nov. 14, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-12202
A security flaw has been discovered in ajayrandhawa User-Management-PHP-MYSQL web up to fedcf58797bf2791591606f7b61fdad99ad8bff1. This vulnerability affects unknown code. Performing manipulation results in cross-site request forgery. The attack can be ini... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Cross-Site Request Forgery
-
5.3
MEDIUMCVE-2025-12042
The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticated attackers to d... Read more
Affected Products :- Published: Nov. 08, 2025
- Modified: Nov. 12, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-49903
Missing Authorization vulnerability in bdthemes ZoloBlocks zoloblocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ZoloBlocks: from n/a through <= 2.3.11.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-12177
The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthentic... Read more
Affected Products : download_manager- Published: Nov. 08, 2025
- Modified: Nov. 12, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-12677
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the register_api_route() function in kiotvietsync/includes/public_actions/WebHookAction.php. This makes it possible for ... Read more
Affected Products :- Published: Nov. 05, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-7473
Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection.... Read more
Affected Products : manageengine_endpoint_central- Published: Oct. 21, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Injection