Latest CVE Feed
-
6.5
MEDIUMCVE-2025-33034
A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability ... Read more
Affected Products : qsync_central- Published: Oct. 03, 2025
- Modified: Oct. 07, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-58580
An API endpoint allows arbitrary log entries to be created via POST request. Without sufficient validation of the input data, an attacker can create manipulated log entries and thus falsify or dilute logs, for example.... Read more
Affected Products :- Published: Oct. 06, 2025
- Modified: Oct. 06, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-61096
PHPGurukul Online Shopping Portal Project v2.1 is vulnerable to SQL Injection in /shopping/login.php via the fullname parameter.... Read more
Affected Products : online_shopping_portal_project- Published: Oct. 02, 2025
- Modified: Oct. 07, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-53407
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify mem... Read more
- Published: Oct. 03, 2025
- Modified: Oct. 08, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-59921
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in Fortinet FortiADC version 7.4.0, version 7.2.3 and below, version 7.1.4 and below, 7.0 all versions, 6.2 all versions may allow an authenticated attacker to obtain se... Read more
Affected Products : fortiadc- Published: Oct. 14, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-60162
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Job Board Manager allows DOM-Based XSS. This issue affects Job Board Manager: from n/a through 2.1.61.... Read more
Affected Products :- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-60098
Missing Authorization vulnerability in Jeff Farthing Theme My Login allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Theme My Login: from n/a through 7.1.12.... Read more
Affected Products :- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-57197
In the Payeer Android application 2.5.0, an improper access control vulnerability exists in the authentication flow for the PIN change feature. A local attacker with root access to the device can dynamically instrument the app to bypass the current PIN ve... Read more
Affected Products :- Published: Sep. 29, 2025
- Modified: Sep. 30, 2025
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2025-61925
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on o... Read more
Affected Products :- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-60838
An arbitrary file upload vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary code via uploading a crafted file.... Read more
Affected Products :- Published: Oct. 10, 2025
- Modified: Oct. 14, 2025
-
6.5
MEDIUMCVE-2025-43907
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.3.0.15, LTS2025 release version 8.3.1.0, LTS2024 release versions 7.13.1.0 through 7.13.1.30, LTS 2023 release versions 7.10.1.0 through ... Read more
Affected Products : data_domain_operating_system- Published: Oct. 07, 2025
- Modified: Oct. 14, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-10974
A vulnerability has been found in giantspatula SewKinect up to 7fd963ceb3385af3706af02b8a128a13399dffb1. This affects the function pickle.loads of the file /calculate of the component Endpoint. Such manipulation of the argument body_parts/point_cloud lead... Read more
Affected Products :- Published: Sep. 25, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-10746
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.9. This is due to missing capability checks and nonce verification on functions hooked to 'init'. This makes it possible for... Read more
Affected Products :- Published: Oct. 04, 2025
- Modified: Oct. 06, 2025
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2025-59956
AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. An attacker can gain access to the /messages endpoint s... Read more
Affected Products : agentapi- Published: Sep. 30, 2025
- Modified: Oct. 08, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-59940
mkdocs-include-markdown-plugin is an Mkdocs Markdown includer plugin. In versions 7.1.7 and below, there is a vulnerability where unvalidated input can collide with substitution placeholders. This issue is fixed in version 7.1.8.... Read more
Affected Products :- Published: Sep. 29, 2025
- Modified: Oct. 02, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-62508
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function... Read more
Affected Products : citizen- Published: Oct. 17, 2025
- Modified: Oct. 21, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-10307
The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete backup functionality in all versions up to, and including, 1.4.8. This makes it possible... Read more
Affected Products : backuply- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Path Traversal
-
6.5
MEDIUMCVE-2025-60040
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fkrauthan wp-mpdf allows Stored XSS. This issue affects wp-mpdf: from n/a through 3.9.1.... Read more
Affected Products : wp-mpdf- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-11407
A weakness has been identified in D-Link DI-7001 MINI 24.04.18B1. Impacted is an unknown function of the file /upgrade_filter.asp. This manipulation of the argument path causes os command injection. The attack may be initiated remotely. The exploit has be... Read more
Affected Products :- Published: Oct. 07, 2025
- Modified: Oct. 08, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-60833
An XML External Entity (XXE) vulnerability in the /mall/wxpay/pay component of uzy-ssm-mall v1.1.0 allows attackers to execute arbitrary code via supplying crafted XML data.... Read more
Affected Products : uzy-ssm-mall- Published: Oct. 08, 2025
- Modified: Oct. 10, 2025
- Vuln Type: XML External Entity