Latest CVE Feed
-
7.5
HIGHCVE-2025-63094
XiangShan Nanhu V2 and XiangShan Kunmighu V3 were discovered to use speculative execution and indirect branch prediction, allowing attackers to access sensitive information via side-channel analysis of the data cache.... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
7.5
HIGHCVE-2025-63036
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows PHP Local File Inclusion.This issue affects Ronneby Theme Core: from n/a through ... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Path Traversal
-
7.5
HIGHCVE-2024-32643
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is f... Read more
Affected Products : masacms- Published: Dec. 03, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2024-56840
A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). Under certain conditions, IPsec may allow code injection in the affected device. An attacker could leverage this scenario to execute arbitrary code as root user.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 11, 2025
- Vuln Type: Injection
-
7.5
HIGHCVE-2025-63895
An issue in the Bluetooth firmware of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to cause a Denial of Service (DoS) via sending a crafted Link Manager Protocol (LMP) packet.... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Denial of Service
-
7.5
HIGHCVE-2025-66578
xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Versions 3.1.3 contain an authentication bypass vulnerability due to a flaw in the libxml2 canonicalization process during document transformation. When libxml2’s canon... Read more
Affected Products : xmlseclibs- Published: Dec. 09, 2025
- Modified: Dec. 11, 2025
- Vuln Type: Authentication
-
7.5
HIGHCVE-2025-65821
As UART download mode is still enabled on the ESP32 chip on which the firmware runs, an adversary can dump the flash from the device and retrieve sensitive information such as details about the current and previous Wi-Fi network from the NVS partition. Ad... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Misconfiguration
-
7.5
HIGHCVE-2025-66507
1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this... Read more
Affected Products : 1panel- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authentication
-
7.4
HIGHCVE-2025-66238
DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance's virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on t... Read more
Affected Products :- Published: Dec. 04, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Server-Side Request Forgery
-
7.4
HIGHCVE-2025-10285
The web interface of the Silicon Labs Simplicity Device Manager is exposed publicly and can be used to extract the NTLMv2 hash which an attacker could use to crack the user's domain password.... Read more
Affected Products :- Published: Dec. 04, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Information Disclosure
-
7.4
HIGHCVE-2025-65290
Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 fail to validate server certificates during HTTPS firmware downloads, allowing man-in-the-middle attackers to intercept firmware update traffic and potentially ... Read more
Affected Products : hub_m2_firmware hub_m2 hub_m3_firmware hub_m3 camera_hub_g3_firmware camera_hub_g3- Published: Dec. 10, 2025
- Modified: Dec. 17, 2025
- Vuln Type: Misconfiguration
-
7.4
HIGHCVE-2025-66623
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect ... Read more
Affected Products :- Published: Dec. 05, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Authorization
-
7.4
HIGHCVE-2025-68922
OpenOps before 0.6.11 allows remote code execution in the Terraform block.... Read more
Affected Products :- Published: Dec. 25, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Injection
-
7.4
HIGHCVE-2025-14809
ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Misconfiguration
-
7.4
HIGHCVE-2025-48429
An out-of-bounds read vulnerability exists in the RLECodec::DecodeByStreams functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to leaking heap data. An attacker can provide a malicious file to trigger this vulnerability.... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
7.4
HIGHCVE-2025-37731
Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.... Read more
- Published: Dec. 15, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Authentication
-
7.4
HIGHCVE-2025-58173
FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various administrative actions as an unprivileged ... Read more
Affected Products : freshrss- Published: Dec. 16, 2025
- Modified: Dec. 16, 2025
- Vuln Type: Path Traversal
-
7.4
HIGHCVE-2025-53619
An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.Th... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
7.4
HIGHCVE-2025-52582
An out-of-bounds read vulnerability exists in the Overlay::GrabOverlayFromPixelData functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerabil... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure
-
7.4
HIGHCVE-2025-53618
An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.Th... Read more
Affected Products :- Published: Dec. 16, 2025
- Modified: Dec. 18, 2025
- Vuln Type: Information Disclosure