Latest CVE Feed
-
8.1
HIGHCVE-2025-59550
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designervily Xcare xcare allows PHP Local File Inclusion.This issue affects Xcare: from n/a through < 6.5.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Path Traversal
-
8.1
HIGHCVE-2025-59558
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Billey billey allows PHP Local File Inclusion.This issue affects Billey: from n/a through < 2.1.6.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Injection
-
8.1
HIGHCVE-2025-11713
Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect Firefox running on other operating systems. This vulnerability affects Firefox < 144, Firefox ESR < 140... Read more
- Published: Oct. 14, 2025
- Modified: Oct. 20, 2025
- Vuln Type: Injection
-
8.1
HIGHCVE-2025-60190
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hinnerk Altenburg Immocaster WordPress Plugin immocaster allows PHP Local File Inclusion.This issue affects Immocaster WordPress Plugi... Read more
Affected Products :- Published: Nov. 06, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Path Traversal
-
8.1
HIGHCVE-2025-11621
Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault... Read more
Affected Products : vault- Published: Oct. 23, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Authentication
-
8.1
HIGHCVE-2025-5483
The LC Wizard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check in the ghl-wizard/inc/wp_user.php file in versions 1.2.10 to 1.3.0. This makes it possible for unauthenticated attackers to create new user accounts... Read more
Affected Products :- Published: Nov. 07, 2025
- Modified: Nov. 07, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-49952
Authorization Bypass Through User-Controlled Key vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.1.1.... Read more
Affected Products : houzez- Published: Oct. 22, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-62169
OctoPrint-SpoolManager is a plugin for managing spools and all their usage metadata. In versions 1.8.0a2 and older of the testing branch and versions 1.7.7 and older of the stable branch, the APIs of the OctoPrint-SpoolManager plugin do not correctly enfo... Read more
Affected Products :- Published: Oct. 23, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Authentication
-
8.1
HIGHCVE-2025-62716
Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?next_path query parameter allows attackers to supply arbitrary schemes (e.g., javascript:) that are passed directly to router.push. This resul... Read more
Affected Products : plane- Published: Oct. 24, 2025
- Modified: Oct. 27, 2025
- Vuln Type: Cross-Site Scripting
-
8.1
HIGHCVE-2025-62922
Missing Authorization vulnerability in Shambhu Patnaik Export Categories export-categories allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Export Categories: from n/a through <= 1.0.... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Oct. 28, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-62925
Missing Authorization vulnerability in Conversios Conversios.io enhanced-e-commerce-for-woocommerce-store allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Conversios.io: from n/a through <= 7.2.10.... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Oct. 28, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-64287
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Alloggio - Hotel Booking alloggio allows PHP Local File Inclusion.This issue affects Alloggio - Hotel Booking: from n/a th... Read more
Affected Products :- Published: Nov. 06, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Path Traversal
-
8.1
HIGHCVE-2025-39465
Missing Authorization vulnerability in flippercode Advanced Google Maps wp-google-map-gold allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Google Maps: from n/a through <= 5.8.4.... Read more
Affected Products :- Published: Nov. 06, 2025
- Modified: Nov. 10, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-62510
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In version 1.4.0, a regression allowed folder visibility/ownership to be inferred from folder names. Low-privilege users could see or interact with fol... Read more
Affected Products :- Published: Oct. 20, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-11853
A vulnerability was determined in Sismics Teedy up to 1.11. This affects an unknown function of the file /api/file of the component API Endpoint. Executing manipulation can lead to improper access controls. The attack may be performed from remote. The exp... Read more
Affected Products : teedy- Published: Oct. 16, 2025
- Modified: Oct. 23, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-59250
Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.... Read more
Affected Products : jdbc_driver_for_sql_server_12.8 jdbc_driver_for_sql_server_10.2 jdbc_driver_for_sql_server_12.6 jdbc_driver_for_sql_server_12.4 jdbc_driver_for_sql_server_12.10 jdbc_driver_for_sql_server_13.2 jdbc_driver_for_sql_server_12.2 jdbc_driver_for_sql_server_11.2 jdbc_driver_for_sql_server- Published: Oct. 14, 2025
- Modified: Oct. 30, 2025
-
8.1
HIGHCVE-2025-62893
Authorization Bypass Through User-Controlled Key vulnerability in mediavine Create by Mediavine mediavine-create allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Create by Mediavine: from n/a through <= 1.9.14.... Read more
Affected Products : create- Published: Oct. 27, 2025
- Modified: Oct. 28, 2025
- Vuln Type: Authorization
-
8.1
HIGHCVE-2025-11720
The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from ... Read more
- Published: Oct. 14, 2025
- Modified: Oct. 15, 2025
- Vuln Type: Information Disclosure
-
8.1
HIGHCVE-2025-59007
Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1.... Read more
Affected Products :- Published: Oct. 22, 2025
- Modified: Oct. 22, 2025
- Vuln Type: Injection
-
8.1
HIGHCVE-2025-43323
This issue was addressed with additional entitlement checks. This issue is fixed in visionOS 26, tvOS 26, iOS 26 and iPadOS 26, watchOS 26. An app may be able to fingerprint the user.... Read more
- Published: Nov. 04, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Authorization