Latest CVE Feed
-
5.3
MEDIUMCVE-2025-7700
A flaw was found in FFmpeg’s ALS audio decoder, where it does not properly check for memory allocation failures. This can cause the application to crash when processing certain malformed audio files. While it does not lead to data theft or system control,... Read more
Affected Products : ffmpeg- Published: Nov. 07, 2025
- Modified: Nov. 07, 2025
- Vuln Type: Denial of Service
-
5.3
MEDIUMCVE-2025-64485
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.4.0 through 2.48.1, a malicious CVAT user with at least the User global role may create files in the root of the mounted file share, or overwrite existin... Read more
Affected Products : computer_vision_annotation_tool- Published: Nov. 08, 2025
- Modified: Nov. 08, 2025
- Vuln Type: Path Traversal
-
5.3
MEDIUMCVE-2025-12042
The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticated attackers to d... Read more
Affected Products :- Published: Nov. 08, 2025
- Modified: Nov. 08, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-12177
The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthentic... Read more
Affected Products : download_manager- Published: Nov. 08, 2025
- Modified: Nov. 08, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-12353
The WPFunnels – The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relyin... Read more
Affected Products :- Published: Nov. 08, 2025
- Modified: Nov. 08, 2025
- Vuln Type: Authentication
-
5.3
MEDIUMCVE-2025-12098
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.8 via the 'enqueue_social_login_script' function. This makes it possible ... Read more
Affected Products :- Published: Nov. 08, 2025
- Modified: Nov. 08, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-64683
In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API... Read more
Affected Products : hub- Published: Nov. 10, 2025
- Modified: Nov. 10, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-12621
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes i... Read more
Affected Products :- Published: Nov. 08, 2025
- Modified: Nov. 08, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-12909
Insufficient policy enforcement in Devtools in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to leak cross-origin data via Devtools. (Chromium security severity: Low)... Read more
Affected Products : chrome- Published: Nov. 08, 2025
- Modified: Nov. 10, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-62520
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, due to insufficient access-level checks, any non-admin user with access to manage_config_columns_page.php can use the Copy From action to retrieve the columns con... Read more
Affected Products : mantisbt- Published: Nov. 04, 2025
- Modified: Nov. 10, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-64435
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.7.0-beta.0, a logic flaw in the virt-controller allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate virt-launcher ... Read more
Affected Products : kubevirt- Published: Nov. 07, 2025
- Modified: Nov. 07, 2025
- Vuln Type: Denial of Service
-
5.3
MEDIUMCVE-2025-12440
Inappropriate implementation in Autofill in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chr... Read more
- Published: Nov. 10, 2025
- Modified: Nov. 10, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-64321
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0.... Read more
Affected Products : agentforce_vibes_extension- Published: Nov. 04, 2025
- Modified: Nov. 11, 2025
- Vuln Type: Injection
-
5.2
MEDIUMCVE-2025-10853
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, le... Read more
Affected Products : wso2_open_banking_am wso2_identity_server wso2_api_control_plane wso2_open_banking_iam wso2_enterprise_integrator wso2_api_manager wso2_universal_gateway wso2_identity_server_as_key_manager wso2_traffic_manager org.wso2.carbon.registry_org.wso2.carbon.registry.info.ui +3 more products- Published: Nov. 05, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Cross-Site Scripting
-
5.2
MEDIUMCVE-2025-58712
A container privilege escalation flaw was found in certain AMQ Broker images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 22, 2025
- Vuln Type: Misconfiguration
-
5.2
MEDIUMCVE-2025-12943
Improper certificate validation in firmware update logic in NETGEAR RAX30 (Nighthawk AX5 5-Stream AX2400 WiFi 6 Router) and RAXE300 (Nighthawk AXE7800 Tri-Band WiFi 6E Router) allows attackers with the ability to intercept and tamper traffic destined to t... Read more
Affected Products : rax30_firmware- Published: Nov. 11, 2025
- Modified: Nov. 11, 2025
- Vuln Type: Misconfiguration
-
5.2
MEDIUMCVE-2025-54983
A health check port on Zscaler Client Connector on Windows, versions 4.6 < 4.6.0.216 and 4.7 < 4.7.0.47, which under specific circumstances was not released after use, allowed traffic to potentially bypass ZCC forwarding controls.... Read more
Affected Products :- Published: Nov. 12, 2025
- Modified: Nov. 12, 2025
- Vuln Type: Misconfiguration
-
5.2
MEDIUMCVE-2025-57848
A container privilege escalation flaw was found in certain Container-native Virtualization images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execu... Read more
Affected Products :- Published: Oct. 23, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Misconfiguration
-
5.1
MEDIUMCVE-2025-12224
A flaw has been found in Iqbolshoh php-business-website up to 10677743a8dfc281f85291a27cf63a0bce043c24. This vulnerability affects unknown code of the file admin/contact.php. This manipulation of the argument twitter causes cross site scripting. The attac... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Cross-Site Scripting
-
5.1
MEDIUMCVE-2025-34318
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDR... Read more
Affected Products : ipfire- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Cross-Site Scripting