Latest CVE Feed
-
7.1
HIGHCVE-2025-12503
EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.... Read more
Affected Products : easyflow_.net- Published: Nov. 03, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Injection
-
7.1
HIGHCVE-2025-43386
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.... Read more
- Published: Nov. 04, 2025
- Modified: Nov. 05, 2025
- Vuln Type: Memory Corruption
-
7.1
HIGHCVE-2025-64196
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Reflected XSS.This issue affects Booster for WooCommerce: from n/a through <= 7.2.5.... Read more
Affected Products : booster_for_woocommerce- Published: Nov. 06, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-11206
Heap buffer overflow in Video in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)... Read more
- Published: Nov. 06, 2025
- Modified: Nov. 07, 2025
- Vuln Type: Memory Corruption
-
7.1
HIGHCVE-2025-64232
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icopydoc Import from YML import-from-yml allows Reflected XSS.This issue affects Import from YML: from n/a through <= 3.1.17.... Read more
Affected Products :- Published: Nov. 06, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-62795
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending cra... Read more
Affected Products : jumpserver- Published: Oct. 30, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Authentication
-
7.1
HIGHCVE-2025-62721
LinkAce is a self-hosted archive to collect website links. In versions 2.3.1 and below, authenticated RSS feed endpoints in the FeedController class fail to implement proper authorization checks, allowing any authenticated user to access all links, lists,... Read more
Affected Products : linkace- Published: Nov. 04, 2025
- Modified: Nov. 10, 2025
- Vuln Type: Authorization
-
7.1
HIGHCVE-2025-62720
LinkAce is a self-hosted archive to collect website links. Versions 2.3.1 and below allow any authenticated user to export the entire database of links from all users in the system, including private links that should only be accessible to their owners. T... Read more
Affected Products : linkace- Published: Nov. 04, 2025
- Modified: Nov. 10, 2025
- Vuln Type: Authorization
-
7.1
HIGHCVE-2025-62036
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.... Read more
Affected Products :- Published: Nov. 06, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-62076
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ido Kobelkowsky Simple Payment simple-payment.This issue affects Simple Payment: from n/a through <= 2.4.6.... Read more
Affected Products :- Published: Nov. 06, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-34273
Nagios Log Server versions prior to 2024R2.0.3 contain an incorrect authorization vulnerability that allows non-administrator users to delete global dashboards. The application did not correctly enforce authorization checks for the global dashboard deleti... Read more
Affected Products : log_server- Published: Oct. 30, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Authorization
-
7.1
HIGHCVE-2025-62041
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem (Elementor) thegem-elementor.This issue affects TheGem (Elementor): from n/a through <= 5.10.5.1.... Read more
Affected Products :- Published: Nov. 06, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-12155
A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system. Looker-hosted an... Read more
Affected Products :- Published: Nov. 10, 2025
- Modified: Nov. 10, 2025
- Vuln Type: Injection
-
7.1
HIGHCVE-2025-57107
Kitware VTK (Visualization Toolkit) through 9.5.0 contains a heap buffer overflow vulnerability in vtkGLTFDocumentLoader. When processing specially crafted GLTF files, the copy constructor of Accessor objects fails to properly validate buffer boundaries b... Read more
Affected Products : vtk- Published: Oct. 31, 2025
- Modified: Nov. 05, 2025
- Vuln Type: Memory Corruption
-
7.1
HIGHCVE-2025-63588
An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a crafted request (e.g., a maliciously crafted POST login). Su... Read more
Affected Products : cmsimple_xh- Published: Nov. 06, 2025
- Modified: Nov. 10, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-10280
IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch levels including 8.3p5, and all prior versions allows some IdentityIQ web services that provide non-HTML content to be accessed via a URL path that wi... Read more
Affected Products :- Published: Nov. 03, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-62057
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality.This issue affects Houzez Theme - Functionality: from n/a through < 4.2.0.... Read more
Affected Products :- Published: Nov. 06, 2025
- Modified: Nov. 06, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-64442
HumHub is an Open Source Enterprise Social Network. Versions below 1.17.4 have a XSS vulnerability in the Meta-Search feature which allows malicious input to be executed in search previews. This issue is fixed in version 1.17.4.... Read more
Affected Products : humhub- Published: Nov. 07, 2025
- Modified: Nov. 07, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-64134
Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks.... Read more
Affected Products : jdepend- Published: Oct. 29, 2025
- Modified: Nov. 05, 2025
- Vuln Type: XML External Entity
-
7.1
HIGHCVE-2025-34304
IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the CONNECTION_NAME parameter. When viewing a range of Op... Read more
- Published: Oct. 28, 2025
- Modified: Nov. 03, 2025
- Vuln Type: Injection