Latest CVE Feed
-
5.4
MEDIUMCVE-2025-66554
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript... Read more
- Published: Dec. 05, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Misconfiguration
-
5.4
MEDIUMCVE-2025-66200
mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server... Read more
Affected Products : http_server- Published: Dec. 05, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-64070
Sourcecodester Student Grades Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the Add New Subject Description field.... Read more
Affected Products : student_grades_management_system- Published: Dec. 02, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-68087
Missing Authorization vulnerability in merkulove Modalier for Elementor modalier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modalier for Elementor: from n/a through <= 1.0.6.... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-65798
Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.... Read more
Affected Products : memos- Published: Dec. 08, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-68527
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kodezen LLC Academy LMS academy allows Stored XSS.This issue affects Academy LMS: from n/a through <= 3.4.0.... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-6924
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TalentSoft Software e-BAP Automation allows Reflected XSS.This issue affects e-BAP Automation: before 42957.... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-55129
HackerOne community member Kassem S.(kassem_s94) has reported that username handling in Revive Adserver was still vulnerable to impersonation attacks after the fix for CVE-2025-52672, via several alternate techniques. Homoglyphs based impersonation has be... Read more
- Published: Dec. 02, 2025
- Modified: Dec. 30, 2025
- Vuln Type: Authentication
-
5.4
MEDIUMCVE-2025-65621
Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.... Read more
Affected Products : snipe-it- Published: Dec. 01, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-14221
A vulnerability was detected in SourceCodester Online Banking System 1.0. This impacts an unknown function of the file /?page=user. The manipulation of the argument First Name/Last Name results in cross site scripting. The attack can be launched remotely.... Read more
Affected Products : banking_system- Published: Dec. 08, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-12505
The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check functio... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2020-36889
A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via error messages containing specially crafted object names. This allows malicious scripts to execute in users' browsers when administrators vie... Read more
Affected Products : xperience- Published: Dec. 18, 2025
- Modified: Dec. 27, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-68533
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes WC Builder wc-builder allows Stored XSS.This issue affects WC Builder: from n/a through <= 1.2.0.... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2025-13312
The CRM Memberships plugin for WordPress is vulnerable to unauthorized membership tag creation due to a missing capability check on the 'ntzcrm_add_new_tag' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated att... Read more
Affected Products :- Published: Dec. 05, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2024-29370
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is proce... Read more
Affected Products : python-jose- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Denial of Service
-
5.3
MEDIUMCVE-2025-12492
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.0 via the ajax_get_members f... Read more
Affected Products : ultimate_member- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-14633
The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated atta... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-62085
Missing Authorization vulnerability in berthaai BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through <= 1.13.... Read more
Affected Products : bertha_ai- Published: Dec. 09, 2025
- Modified: Dec. 11, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-69009
Missing Authorization vulnerability in kamleshyadav Medicalequipment medicalequipment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Medicalequipment: from n/a through <= 1.0.9.... Read more
Affected Products :- Published: Dec. 30, 2025
- Modified: Dec. 30, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-69010
Missing Authorization vulnerability in themebeez Themebeez Toolkit themebeez-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Themebeez Toolkit: from n/a through <= 1.3.5.... Read more
Affected Products :- Published: Dec. 30, 2025
- Modified: Dec. 30, 2025
- Vuln Type: Authorization