Latest CVE Feed
-
8.8
HIGHCVE-2025-68575
Missing Authorization vulnerability in Wappointment team Wappointment wappointment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wappointment: from n/a through <=2.7.2.... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Authorization
-
8.8
HIGHCVE-2025-68567
Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Cross Site Request Forgery.This issue affects My auctions allegro: from n/a through <= 3.6.32.... Read more
Affected Products :- Published: Dec. 24, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Cross-Site Request Forgery
-
8.8
HIGHCVE-2024-5401
Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote ... Read more
- Published: Dec. 04, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Authorization
-
8.8
HIGHCVE-2025-13871
Cross-Site Request Forgery (CSRF) in the resource-management feature of ObjectPlanet Opinio 7.26 rev12562 allows to upload files on behalf of the connected users and then access such files without authentication.... Read more
Affected Products : opinio- Published: Dec. 02, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Cross-Site Request Forgery
-
8.8
HIGHCVE-2025-14390
The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. This is due to missing or incorrect nonce validation on the video_merchant_add_video_file() function. This makes it possible for unauthenticated attac... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Request Forgery
-
8.8
HIGHCVE-2025-66395
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted bef... Read more
Affected Products : churchcrm- Published: Dec. 17, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2023-53956
Flatnux 2021-03.25 contains an authenticated file upload vulnerability that allows administrative users to upload arbitrary PHP files through the file manager. Attackers with admin credentials can upload malicious PHP scripts to the web root directory, en... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-68522
Missing Authorization vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through <= 4.9.5.... Read more
Affected Products : wpstream- Published: Dec. 24, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Authorization
-
8.8
HIGHCVE-2025-68582
Missing Authorization vulnerability in Funnelforms Funnelforms Free funnelforms-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Funnelforms Free: from n/a through <= 3.8.... Read more
Affected Products : funnelforms_free- Published: Dec. 24, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Authorization
-
8.8
HIGHCVE-2025-14476
The Doubly – Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This ... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-66404
MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in bot... Read more
Affected Products : mcp-server-kubernetes- Published: Dec. 03, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Injection
-
8.7
HIGHCVE-2025-66410
Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete a... Read more
Affected Products : gin-vue-admin- Published: Dec. 01, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Path Traversal
-
8.7
HIGHCVE-2023-53970
Screen SFT DAB 600/C Firmware 1.9.3 contains a weak session management vulnerability that allows attackers to bypass authentication controls by reusing IP-bound session identifiers. Attackers can exploit the vulnerable deviceManagement API endpoint to res... Read more
- Published: Dec. 22, 2025
- Modified: Dec. 26, 2025
- Vuln Type: Authentication
-
8.7
HIGHCVE-2020-36893
Eibiz i-Media Server Digital Signage 3.8.0 contains a directory traversal vulnerability that allows unauthenticated remote attackers to access files outside the server's root directory. Attackers can exploit the 'oldfile' GET parameter to view sensitive c... Read more
Affected Products : i-media_server_digital_signage- Published: Dec. 10, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Path Traversal
-
8.7
HIGHCVE-2025-8405
GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by inj... Read more
Affected Products : gitlab- Published: Dec. 11, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Injection
-
8.7
HIGHCVE-2025-11393
A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific r... Read more
Affected Products :- Published: Dec. 15, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Authorization
-
8.7
HIGHCVE-2021-47718
OpenBMCS 2.4 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive files by exploiting directory listing functionality. Attackers can browse directories like /debug/ and /php/ to discover configuration ... Read more
Affected Products : openbmcs- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Information Disclosure
-
8.7
HIGHCVE-2021-47713
Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and m... Read more
Affected Products : graphql_engine- Published: Dec. 22, 2025
- Modified: Dec. 26, 2025
- Vuln Type: Denial of Service
-
8.7
HIGHCVE-2025-61976
CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions. If a remote attacker sends a specially crafted request to the Video Download interface, the system may become unresponsive.... Read more
- Published: Dec. 16, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Denial of Service
-
8.7
HIGHCVE-2025-13426
A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious o... Read more
Affected Products :- Published: Dec. 05, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Injection