Latest CVE Feed
-
8.8
HIGHCVE-2025-9890
The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated ... Read more
Affected Products : theme_editor- Published: Oct. 18, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Cross-Site Request Forgery
-
8.8
HIGHCVE-2025-32283
Deserialization of Untrusted Data vulnerability in designthemes Solar Energy solar allows Object Injection.This issue affects Solar Energy: from n/a through <= 3.5.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-54968
An issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Service does not require authentication. In some configurations, this may allow remote users to submit jobs, or local users to submit jobs that will execute with the permissions of... Read more
Affected Products : socet_gxp- Published: Oct. 27, 2025
- Modified: Oct. 31, 2025
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-11746
The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.5.4 via theet_ajax_required_plugins_popup() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, ... Read more
Affected Products : xstore- Published: Oct. 15, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Path Traversal
-
8.8
HIGHCVE-2025-62491
A Use-After-Free (UAF) vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises (ts->rejected_promise_list). * The function js_std_promise_rejection_check attempts to iterate over... Read more
Affected Products : quickjs- Published: Oct. 16, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Memory Corruption
-
8.8
HIGHCVE-2025-12507
The service Bizerba Communication Server (BCS) has an unquoted service path. Due to the way Windows searches the executable for the BCS service, malicious programs can be executed.... Read more
Affected Products : _connect.brain- Published: Oct. 31, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Misconfiguration
-
8.8
HIGHCVE-2025-12221
Busybox 1.31.1 - Multiple Known Vulnerabilities.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.... Read more
- Published: Oct. 25, 2025
- Modified: Nov. 07, 2025
-
8.8
HIGHCVE-2025-62929
Missing Authorization vulnerability in PickPlugins Testimonial Slider testimonial allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Testimonial Slider: from n/a through <= 2.0.15.... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Oct. 28, 2025
- Vuln Type: Authorization
-
8.8
HIGHCVE-2025-58716
Improper input validation in Microsoft Windows Speech allows an authorized attacker to elevate privileges locally.... Read more
Affected Products : windows_server_2016 windows_server_2019 windows_10_1607 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_server_2022 windows_11_22h2 windows_10_1507 windows_11_23h2 +6 more products- Published: Oct. 14, 2025
- Modified: Oct. 31, 2025
-
8.8
HIGHCVE-2025-11613
A vulnerability was found in code-projects Simple Food Ordering System 1.0. Affected is an unknown function of the file /addcategory.php. The manipulation of the argument cname results in sql injection. The attack can be launched remotely. The exploit has... Read more
- Published: Oct. 11, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-60311
ProjectWorlds Gym Management System1.0 is vulnerable to SQL Injection via the "id" parameter in the profile/edit.php page... Read more
- Published: Oct. 08, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-11605
A vulnerability was identified in code-projects Client Details System 1.0. Impacted is an unknown function of the file /admin/update-profile.php. Such manipulation of the argument uid leads to sql injection. The attack can be executed remotely. The exploi... Read more
- Published: Oct. 11, 2025
- Modified: Oct. 29, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-11603
A vulnerability was found in code-projects Simple Food Ordering System 1.0. This vulnerability affects unknown code of the file /editproduct.php. The manipulation of the argument Category results in sql injection. The attack may be launched remotely. The ... Read more
- Published: Oct. 11, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-9428
Zohocorp ManageEngine Analytics Plus versions 6171 and prior are vulnerable to authenticated SQL Injection via the key update api.... Read more
Affected Products : manageengine_analytics_plus- Published: Oct. 21, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-62931
Missing Authorization vulnerability in microsoftstart MSN Partner Hub microsoft-start allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MSN Partner Hub: from n/a through <= 2.8.7.... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Oct. 28, 2025
- Vuln Type: Authorization
-
8.8
HIGHCVE-2025-11908
A security flaw has been discovered in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The affected element is the function uploadFile of the file /FileDir.do?Action=Upload. Performing manipulation of the argument File results in unrestricted upload. ... Read more
Affected Products : streamax_crocus- Published: Oct. 17, 2025
- Modified: Oct. 31, 2025
- Vuln Type: Misconfiguration
-
8.8
HIGHCVE-2025-62726
n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository contain... Read more
Affected Products : n8n- Published: Oct. 30, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-41110
Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the att... Read more
- Published: Oct. 22, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Information Disclosure
-
8.8
HIGHCVE-2025-11724
The EM Beer Manager plugin for WordPress is vulnerable to arbitrary file upload leading to remote code execution in all versions up to, and including, 3.2.3. This is due to missing file type validation in the EMBM_Admin_Untappd_Import_image() function and... Read more
Affected Products :- Published: Nov. 04, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-12095
The Simple Registration for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.8. This is due to missing nonce validation on the role requests admin page handler in the includes/display-r... Read more
Affected Products :- Published: Oct. 25, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Cross-Site Request Forgery