Latest CVE Feed
-
7.5
HIGHCVE-2025-14169
The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied paramete... Read more
Affected Products : funnelkit_automations- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Injection
-
7.5
HIGHCVE-2025-14068
The WPNakama plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 0.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the exis... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Injection
-
7.5
HIGHCVE-2025-64378
Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through < 2.9.10.... Read more
Affected Products : listingpro- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2025-66070
Missing Authorization vulnerability in Tomdever wpForo Forum wpforo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpForo Forum: from n/a through <= 2.4.10.... Read more
Affected Products : wpforo_forum- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2025-66088
Missing Authorization vulnerability in Property Hive PropertyHive propertyhive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PropertyHive: from n/a through <= 2.1.12.... Read more
Affected Products : propertyhive- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2025-58877
Missing Authorization vulnerability in javothemes Javo Core javo-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Javo Core: from n/a through <= 3.0.0.529.... Read more
Affected Products : javo_core- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2025-60045
Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects IDonatePro: from n/a through <= 2.1.11.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2025-60078
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier Task Manager task-manager allows PHP Local File Inclusion.This issue affects Task Manager: from n/a thr... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Path Traversal
-
7.5
HIGHCVE-2025-64658
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
-
7.5
HIGHCVE-2025-13339
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbit... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Path Traversal
-
7.5
HIGHCVE-2025-59775
Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are re... Read more
Affected Products : http_server- Published: Dec. 05, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Server-Side Request Forgery
-
7.5
HIGHCVE-2025-63094
XiangShan Nanhu V2 and XiangShan Kunmighu V3 were discovered to use speculative execution and indirect branch prediction, allowing attackers to access sensitive information via side-channel analysis of the data cache.... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
7.5
HIGHCVE-2025-63036
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows PHP Local File Inclusion.This issue affects Ronneby Theme Core: from n/a through ... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Path Traversal
-
7.5
HIGHCVE-2025-64471
A use of password hash instead of password for authentication vulnerability [CWE-836] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 throug... Read more
Affected Products : fortiweb- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authentication
-
7.5
HIGHCVE-2025-26488
Improper Input Validation vulnerability in Infinera MTC-9 allows remote unauthenticated users to crash the service and cause a reboot of the appliance, thus causing a DoS condition, via crafted XML payloads.This issue affects MTC-9: from R22.1.1.0275 be... Read more
- Published: Dec. 08, 2025
- Modified: Dec. 22, 2025
- Vuln Type: Denial of Service
-
7.5
HIGHCVE-2024-3884
A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will ... Read more
Affected Products : undertow- Published: Dec. 03, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Denial of Service
-
7.5
HIGHCVE-2025-63895
An issue in the Bluetooth firmware of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to cause a Denial of Service (DoS) via sending a crafted Link Manager Protocol (LMP) packet.... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Denial of Service
-
7.5
HIGHCVE-2025-65795
Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.... Read more
Affected Products : memos- Published: Dec. 08, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2025-63363
A lack of Management Frame Protection in Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to execute de-authentication attacks, allowing crafted deauthentica... Read more
- Published: Dec. 04, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Misconfiguration
-
7.5
HIGHCVE-2025-57212
Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request.... Read more
Affected Products : platform- Published: Dec. 04, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Authorization