Latest CVE Feed
-
4.3
MEDIUMCVE-2025-64229
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.7.... Read more
Affected Products :- Published: Oct. 29, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-62393
A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limited course detail... Read more
Affected Products : moodle- Published: Oct. 23, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-43441
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.1 and iPadOS 26.1, tvOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.... Read more
- Published: Nov. 04, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Memory Corruption
-
4.3
MEDIUMCVE-2025-64147
Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.... Read more
Affected Products : curseforge_publisher- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Information Disclosure
-
4.3
MEDIUMCVE-2025-10570
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with ... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 22, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-64288
Cross-Site Request Forgery (CSRF) vulnerability in Premmerce Premmerce premmerce allows Cross Site Request Forgery.This issue affects Premmerce: from n/a through <= 1.3.19.... Read more
Affected Products : premmerce- Published: Oct. 29, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-12188
The Posts Navigation Links for Sections and Headings – Free by WP Masters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the 'wpm_naviga... Read more
Affected Products :- Published: Nov. 04, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-64234
Missing Authorization vulnerability in Evergreen Content Poster Evergreen Content Poster evergreen-content-poster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Evergreen Content Poster: from n/a through <= 1.4.... Read more
Affected Products : evergreen_content_poster- Published: Oct. 29, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-62021
Missing Authorization vulnerability in Made Neat Acknowledgify acknowledgify.This issue affects Acknowledgify: from n/a through <= 1.1.3.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 24, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-12675
The KiotViet Sync plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveConfig() function in all versions up to, and including, 1.8.5. This makes it possible for authenticated attackers, with ... Read more
Affected Products :- Published: Nov. 05, 2025
- Modified: Nov. 05, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-12582
The Features plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'features_revert_option AJAX endpoint in all versions up to, and including, 0.0.2. This makes it possible for authenticated attac... Read more
Affected Products :- Published: Nov. 05, 2025
- Modified: Nov. 05, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-62176
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those token... Read more
Affected Products : mastodon- Published: Oct. 13, 2025
- Modified: Oct. 20, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-62026
Insertion of Sensitive Information Into Sent Data vulnerability in Blockspare Blockspare blockspare allows Retrieve Embedded Sensitive Data.This issue affects Blockspare: from n/a through <= 3.2.13.2.... Read more
Affected Products : blockspare- Published: Oct. 22, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Information Disclosure
-
4.3
MEDIUMCVE-2025-60132
Cross-Site Request Forgery (CSRF) vulnerability in johnh10 Video Blogster Lite video-blogster-lite allows Stored XSS.This issue affects Video Blogster Lite: from n/a through <= 1.2.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 22, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-64146
Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.... Read more
Affected Products : curseforge_publisher- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Information Disclosure
-
4.3
MEDIUMCVE-2025-64145
Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.... Read more
Affected Products : byteguard_build_actions- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Information Disclosure
-
4.3
MEDIUMCVE-2025-49937
Missing Authorization vulnerability in Syed Balkhi Smash Balloon Social Post Feed custom-facebook-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smash Balloon Social Post Feed: from n/a through <= 4.3.2.... Read more
Affected Products : smash_balloon_social_post_feed- Published: Oct. 22, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-11176
The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled ke... Read more
Affected Products :- Published: Oct. 15, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-64137
A missing permission check in Jenkins Themis Plugin 1.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server.... Read more
Affected Products : themis- Published: Oct. 29, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-21075
Out-of-bounds write in libimagecodec.quram.so prior to SMR Nov-2025 Release 1 allows remote attackers to access out-of-bounds memory.... Read more
Affected Products :- Published: Nov. 05, 2025
- Modified: Nov. 05, 2025
- Vuln Type: Memory Corruption