Latest CVE Feed
-
7.5
HIGHCVE-2025-13442
A security vulnerability has been detected in UTT 进取 750W up to 3.2.2-191225. Affected by this vulnerability is the function system of the file /goform/formPdbUpConfig. Such manipulation of the argument policyNames leads to command injection. The attack m... Read more
Affected Products :- Published: Nov. 20, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Injection
-
7.3
HIGHCVE-2025-13433
A security flaw has been discovered in Muse Group MuseHub 2.1.0.1567. The affected element is an unknown function of the file C:\Program Files\WindowsApps\Muse.MuseHub_2.1.0.1567_x64__rb9pth70m6nz6\Muse.Updater.exe of the component Windows Service. The ma... Read more
Affected Products :- Published: Nov. 20, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Misconfiguration
-
9.2
CRITICALCVE-2025-12414
An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-h... Read more
Affected Products :- Published: Nov. 20, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Authentication
-
8.1
HIGHCVE-2025-64759
Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SV... Read more
Affected Products :- Published: Nov. 19, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Cross-Site Scripting
-
2.3
LOWCVE-2025-11884
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in opentext uCMDB allows Stored XSS. The vulnerability could allow an attacker has high level access to UCMDB to create or update data with malicious... Read more
Affected Products :- Published: Nov. 19, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2025-65103
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.9.5, an authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries.... Read more
Affected Products : openstamanager- Published: Nov. 19, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Injection
-
6.9
MEDIUMCVE-2025-65100
Isar is an integration system for automated root filesystem generation. In versions 0.11-rc1 and 0.11, defining ISAR_APT_SNAPSHOT_DATE alone does not set the correct timestamp value for security distribution, leading to missed security updates. This issue... Read more
Affected Products :- Published: Nov. 19, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Misconfiguration
-
4.8
MEDIUMCVE-2025-13469
A security vulnerability has been detected in Public Knowledge Project omp and ojs 3.3.0/3.4.0/3.5.0. Impacted is an unknown function of the file plugins/paymethod/manual/templates/paymentForm.tpl of the component Payment Instructions Setting Handler. The... Read more
Affected Products :- Published: Nov. 20, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Cross-Site Scripting
-
4.8
MEDIUMCVE-2025-35029
Medical Informatics Engineering Enterprise Health has a stored cross site scripting vulnerability that allows an authenticated attacker to add arbitrary content in the 'Demographic Information' page. This content will be rendered and executed when a victi... Read more
Affected Products :- Published: Nov. 20, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Cross-Site Scripting
-
7.2
HIGHCVE-2025-12135
The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'css_code' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the save_custome_code() function. This makes it possible for unaut... Read more
Affected Products : wpbookit- Published: Nov. 21, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Cross-Site Scripting
-
4.3
MEDIUMCVE-2025-11773
The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveDeployedContract' function in all versions up to, and inc... Read more
Affected Products :- Published: Nov. 21, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-12170
The Checkbox plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_ajax_nopriv_checkbox_clean_log' AJAX endpoint in all versions up to, and including, 2.8.10. This makes it possible for unauthenticate... Read more
Affected Products :- Published: Nov. 21, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Authorization
-
6.4
MEDIUMCVE-2025-13135
The HotelRunner Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hotelrunner' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user suppli... Read more
Affected Products :- Published: Nov. 21, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Cross-Site Scripting
-
8.1
HIGHCVE-2025-13322
The WP AUDIO GALLERY plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.0. This is due to the `wpag_uploadaudio_callback()` AJAX handler not properly validating us... Read more
Affected Products :- Published: Nov. 21, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Path Traversal
-
5.6
MEDIUMCVE-2025-13437
When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symli... Read more
Affected Products :- Published: Nov. 20, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Misconfiguration
-
6.4
MEDIUMCVE-2025-11763
The Display Pages Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column_count' parameter in the [display-pages] shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and o... Read more
Affected Products :- Published: Nov. 21, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-10938
The UiPress lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.08. This is due to missing capability checks in the 'uip_process_block_query' AJAX function. This makes it possible for authent... Read more
Affected Products : uipress_lite- Published: Nov. 21, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Information Disclosure
-
6.4
MEDIUMCVE-2025-12964
The Magical Products Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpdpr_title_tag' and 'mpdpr_subtitle_tag' parameters in the MPD Pricing Table widget in all versions up to, and including, 1.1.29 due to insufficient i... Read more
Affected Products :- Published: Nov. 21, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Cross-Site Scripting
-
5.8
MEDIUMCVE-2025-64751
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to i... Read more
Affected Products : openfga- Published: Nov. 21, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Authorization
-
6.4
MEDIUMCVE-2025-11808
The Shortcode for Google Street View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'streetview' shortcode in all versions up to, and including, 0.5.7. This is due to insufficient input sanitization and output escaping on the 'i... Read more
Affected Products :- Published: Nov. 21, 2025
- Modified: Nov. 21, 2025
- Vuln Type: Cross-Site Scripting