Latest CVE Feed
-
5.4
MEDIUMCVE-2023-23729
Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.3.0.... Read more
Affected Products : spectra- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-34260
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/schedule endpoint. When an authenticated user adds a schedule to an existing task, the schedule name is stored and later r... Read more
Affected Products : wise-deviceon_server- Published: Dec. 05, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-12887
The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the 'handle_gmail_oauth_redirect' fu... Read more
Affected Products :- Published: Dec. 03, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-59790
Improper Privilege Management vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from v2.9.0 through v2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue.... Read more
Affected Products : kvrocks- Published: Nov. 28, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-12191
The PDF Catalog for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdfcatalog' AJAX action in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping. This makes it possi... Read more
Affected Products :- Published: Dec. 05, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-12505
The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check functio... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-20382
In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a views d... Read more
- Published: Dec. 03, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Server-Side Request Forgery
-
5.4
MEDIUMCVE-2025-51734
Cross-site scripting (XSS) vulnerability in HCL Technologies Ltd. Unica 12.0.0.... Read more
Affected Products : unica- Published: Nov. 28, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-62728
SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift A... Read more
Affected Products : hive- Published: Nov. 26, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Injection
-
5.4
MEDIUMCVE-2025-66514
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocke... Read more
- Published: Dec. 05, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Injection
-
5.4
MEDIUMCVE-2025-13296
Cross-Site Request Forgery (CSRF) vulnerability in Tekrom Technology Inc. T-Soft E-Commerce allows Cross Site Request Forgery.This issue affects T-Soft E-Commerce: through 28112025.... Read more
Affected Products :- Published: Dec. 01, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Cross-Site Request Forgery
-
5.4
MEDIUMCVE-2025-66421
Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69.... Read more
Affected Products :- Published: Nov. 30, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-60916
A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted pay... Read more
Affected Products : openatlas- Published: Nov. 24, 2025
- Modified: Nov. 28, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-30186
Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the prov... Read more
Affected Products : ox_app_suite- Published: Nov. 27, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-67559
Missing Authorization vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Online Booking & Scheduling Cale... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-14221
A vulnerability was detected in SourceCodester Online Banking System 1.0. This impacts an unknown function of the file /?page=user. The manipulation of the argument First Name/Last Name results in cross site scripting. The attack can be launched remotely.... Read more
Affected Products : banking_system- Published: Dec. 08, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-67561
Missing Authorization vulnerability in Oleksandr Lysyi Debug Log Viewer debug-log-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Debug Log Viewer: from n/a through <= 2.0.3.... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-67496
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain a Stored Cross-Site Scripting (XSS) vulnerability in the /WeGIA/html/geral/configurar_senhas.php endpoint. The application doe... Read more
Affected Products : wegia- Published: Dec. 09, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-12635
IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using... Read more
Affected Products : websphere_application_server- Published: Dec. 08, 2025
- Modified: Dec. 11, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-64499
Tuleap is a free and open source suite for management of software development and collaboration. Tuleap Community Editon versions prior to 17.0.99.1762456922 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 are vulnerable to CS... Read more
Affected Products : tuleap- Published: Dec. 08, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Cross-Site Request Forgery