Latest CVE Feed
-
4.3
MEDIUMCVE-2025-10691
The Easy Email Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the show_editsub_page() function. This makes it possible for un... Read more
Affected Products :- Published: Nov. 06, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-62482
Cross-site scripting in Zoom Workplace for Windows before version 6.5.10 may allow an unauthenticated user to impact integrity via network access.... Read more
- Published: Nov. 13, 2025
- Modified: Nov. 14, 2025
- Vuln Type: Cross-Site Scripting
-
4.3
MEDIUMCVE-2025-54548
On affected platforms, restricted users could view sensitive portions of the config database via a debug API (e.g., user password hashes)... Read more
Affected Products : danz_monitoring_fabric- Published: Oct. 29, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Information Disclosure
-
4.3
MEDIUMCVE-2025-64143
Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file s... Read more
Affected Products : openshift_pipeline- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Information Disclosure
-
4.3
MEDIUMCVE-2025-43427
This issue was addressed through improved state management. This issue is fixed in iOS 26.1 and iPadOS 26.1, tvOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.... Read more
- Published: Nov. 04, 2025
- Modified: Nov. 05, 2025
- Vuln Type: Denial of Service
-
4.3
MEDIUMCVE-2025-12188
The Posts Navigation Links for Sections and Headings – Free by WP Masters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the 'wpm_naviga... Read more
Affected Products :- Published: Nov. 04, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-41720
A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 22, 2025
- Vuln Type: Misconfiguration
-
4.3
MEDIUMCVE-2025-64138
A cross-site request forgery (CSRF) vulnerability in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL.... Read more
Affected Products : start_windocks_container- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-64357
Cross-Site Request Forgery (CSRF) vulnerability in Younes JFR. Advanced Database Cleaner advanced-database-cleaner allows Cross Site Request Forgery.This issue affects Advanced Database Cleaner: from n/a through <= 3.1.6.... Read more
Affected Products : advanced_database_cleaner- Published: Oct. 31, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-43434
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.... Read more
- Published: Nov. 04, 2025
- Modified: Nov. 05, 2025
- Vuln Type: Memory Corruption
-
4.3
MEDIUMCVE-2025-8383
The Depicter plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 4.0.4. This is due to missing or incorrect nonce validation on the depicter-document-rules-store function. This makes it possible for unauthe... Read more
Affected Products :- Published: Oct. 31, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-10545
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/member... Read more
Affected Products : mattermost_server- Published: Oct. 16, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-58183
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the ar... Read more
Affected Products : go- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Denial of Service
-
4.3
MEDIUMCVE-2025-64145
Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.... Read more
Affected Products : byteguard_build_actions- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Information Disclosure
-
4.3
MEDIUMCVE-2025-64146
Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.... Read more
Affected Products : curseforge_publisher- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Information Disclosure
-
4.3
MEDIUMCVE-2025-64147
Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.... Read more
Affected Products : curseforge_publisher- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Information Disclosure
-
4.3
MEDIUMCVE-2025-64136
A cross-site request forgery (CSRF) vulnerability in Jenkins Themis Plugin 1.4.1 and earlier allows attackers to connect to an attacker-specified HTTP server.... Read more
Affected Products : themis- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-64137
A missing permission check in Jenkins Themis Plugin 1.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server.... Read more
Affected Products : themis- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-64356
Missing Authorization vulnerability in f1logic Insert PHP Code Snippet insert-php-code-snippet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Insert PHP Code Snippet: from n/a through <= 1.4.3.... Read more
Affected Products : insert_php_code_snippet- Published: Oct. 31, 2025
- Modified: Nov. 13, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-12526
The Private Google Calendars plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pgc_remove' action in all versions up to, and including, 20250811. This makes it possible for authenticated atta... Read more
Affected Products : private_google_calendars- Published: Nov. 11, 2025
- Modified: Nov. 12, 2025
- Vuln Type: Authorization