Latest CVE Feed
-
4.3
MEDIUMCVE-2025-69344
Missing Authorization vulnerability in ThemeHunk Oneline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oneline Lite: from n/a through 6.6.... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authorization
-
6.4
MEDIUMCVE-2025-13849
The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-13667
The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. T... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-13841
The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization an... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-14842
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This ma... Read more
Affected Products : drag_and_drop_multiple_file_upload_-_contact_form_7- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Injection
-
7.2
HIGHCVE-2025-9611
Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running ... Read more
Affected Products : playwright- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Misconfiguration
-
8.2
HIGHCVE-2026-0656
The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenti... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authentication
-
6.8
MEDIUMCVE-2025-66837
A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Misconfiguration
-
4.9
MEDIUMCVE-2026-20029
A vulnerability in the licensing features of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker with administrative privileges to gain access to sensitive information.... Read more
Affected Products : identity_services_engine- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: XML External Entity
-
6.3
MEDIUMCVE-2025-58441
Knowage is an open source analytics and business intelligence suite. Prior to version 8.1.37, there is a blind server-side request forgery vulnerability. The vulnerability allows attackers to send requests to arbitrary hosts/paths. Since the attacker is n... Read more
Affected Products : knowage- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Server-Side Request Forgery
-
6.9
MEDIUMCVE-2026-22543
The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authentication
-
4.3
MEDIUMCVE-2025-13990
The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticat... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Request Forgery
-
6.8
MEDIUMCVE-2026-22537
The lack of hardening of the system allows the user used to manage and maintain the charger to consult different files containing clear-text credentials or valuable information for an attacker.... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Misconfiguration
-
6.4
MEDIUMCVE-2025-14053
The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it pos... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
8.1
HIGHCVE-2025-69080
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JanStudio Gecko allows PHP Local File Inclusion.This issue affects Gecko: from n/a through 1.9.8.... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Path Traversal
-
7.8
HIGHCVE-2025-47346
Memory corruption while processing a secure logging command in the trusted application.... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Memory Corruption
-
5.3
MEDIUMCVE-2025-15474
AuntyFey Smart Combination Lock firmware versions as of 2025-12-24 contain a vulnerability that allows an unauthenticated attacker within Bluetooth Low Energy (BLE) range to cause a denial of service by repeatedly initiating BLE connections. Sustained con... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Denial of Service
-
6.1
MEDIUMCVE-2025-14875
The HBLPAY Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cusdata’ parameter in all versions up to, and including, 5.0.0 due to insufficient input sanitization and output escaping. This makes ... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2025-14460
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler whe... Read more
Affected Products : piraeus_bank_woocommerce_payment_gateway- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Authorization
-
7.1
HIGHCVE-2025-64305
MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal.... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Information Disclosure