Latest CVE Feed
-
8.6
HIGHCVE-2025-65076
WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete any file on the server using path traversal in the ilog script... Read more
Affected Products : video_management_software_server- Published: Dec. 16, 2025
- Modified: Dec. 22, 2025
- Vuln Type: Path Traversal
-
8.6
HIGHCVE-2025-67736
The FreePBX module tts (Text to Speech) for FreePBX, an open-source web-based graphical user interface (GUI) that manages Asterisk. Versions prior to 16.0.5 and 17.0.5 are vulnerable to SQL injection by authenticated users with administrator access. Authe... Read more
Affected Products : freepbx- Published: Dec. 16, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Injection
-
8.6
HIGHCVE-2025-23417
A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulner... Read more
- Published: Dec. 01, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Denial of Service
-
8.6
HIGHCVE-2025-65074
WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to execute arbitrary OS commands on the server using path traversal in the showe... Read more
Affected Products : video_management_software_server- Published: Dec. 16, 2025
- Modified: Dec. 22, 2025
- Vuln Type: Path Traversal
-
8.6
HIGHCVE-2025-13829
Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: * APIKEY (1 year user Session) * RefreshToken (10 minutes us... Read more
Affected Products :- Published: Dec. 01, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Authorization
-
8.6
HIGHCVE-2025-55222
A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated... Read more
- Published: Dec. 01, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Denial of Service
-
8.6
HIGHCVE-2020-36881
Flexsense DiskBoss 7.7.14 contains a local buffer overflow vulnerability in the 'Input Directory' component that allows unauthenticated attackers to execute arbitrary code on the system. Attackers can exploit this by pasting a specially crafted directory ... Read more
- Published: Dec. 05, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Memory Corruption
-
8.6
HIGHCVE-2025-12061
The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements... Read more
Affected Products :- Published: Nov. 26, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authorization
-
8.6
HIGHCVE-2025-64983
Smart Video Doorbell firmware versions prior to 2.01.078 contain an active debug code vulnerability that allows an attacker to connect via Telnet and gain access to the device.... Read more
Affected Products :- Published: Nov. 26, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authentication
-
8.6
HIGHCVE-2025-66201
LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.1-rc2, LibreChat is vulnerable to Server-side Request Forgery (SSRF), by passing specially crafted OpenAPI specs to its "Actions" feature and making the LLM use those actions. It ... Read more
Affected Products : librechat- Published: Nov. 29, 2025
- Modified: Dec. 03, 2025
- Vuln Type: Server-Side Request Forgery
-
8.6
HIGHCVE-2025-26858
A buffer overflow vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted set of network packets can lead to denial of service. An attacker can send a sequence of unauthenticated packets to trigger th... Read more
- Published: Dec. 01, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Memory Corruption
-
8.6
HIGHCVE-2025-66635
Stack-based buffer overflow vulnerability exists in SEIKO EPSON Web Config. Specially crafted data input by a logged-in user may execute arbitrary code. As for the details of the affected products and versions, see the information provided by the vendor u... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 22, 2025
- Vuln Type: Memory Corruption
-
8.6
HIGHCVE-2023-53885
Webutler v3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload PHP files with system command execution. Attackers can upload a PHAR file with embedded system commands to the media browser and execute arbitr... Read more
Affected Products : webutler- Published: Dec. 15, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Injection
-
8.6
HIGHCVE-2025-13428
A vulnerability exists in the SecOps SOAR server. The custom integrations feature allowed an authenticated user with an "IDE role" to achieve Remote Code Execution (RCE) in the server. The flaw stemmed from weak validation of uploaded Python package code.... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Injection
-
8.6
HIGHCVE-2025-66450
LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which can then be sha... Read more
Affected Products : librechat- Published: Dec. 11, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
8.6
HIGHCVE-2024-58313
xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modi... Read more
Affected Products :- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Misconfiguration
-
8.6
HIGHCVE-2024-58295
ElkArte Forum 1.1.9 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the theme installation process. Attackers can upload a ZIP archive with a PHP file containing system commands... Read more
Affected Products :- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Authentication
-
8.6
HIGHCVE-2024-58293
Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendo... Read more
Affected Products : akaunting- Published: Dec. 11, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Injection
-
8.6
HIGHCVE-2020-36890
An access control bypass vulnerability in Kentico Xperience allows administrators to modify global administrator user privileges via unauthorized requests. Attackers could potentially compromise global administrator accounts and invalidate security-sensit... Read more
Affected Products : xperience- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authorization
-
8.6
HIGHCVE-2025-62173
## Summary Authenticated SQL Injection Vulnerability in Endpoint Module Rest API... Read more
Affected Products : freepbx- Published: Dec. 04, 2025
- Modified: Dec. 04, 2025
- Vuln Type: Injection