Latest CVE Feed
-
7.1
HIGHCVE-2025-1927
Cross-Site Request Forgery (CSRF) vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Cross Site Request Forgery.This issue affects Online Food Delivery System: through 19122025.... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Request Forgery
-
6.1
MEDIUMCVE-2025-14151
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'outbound_resource' parameter in the slimtrack AJAX action in all versions up to, and including, 5.3.2. This is due to insufficient input sanitization and out... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
5.6
MEDIUMCVE-2025-14267
Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7... Read more
Affected Products : m-files_server- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Information Disclosure
-
5.7
MEDIUMCVE-2025-14738
Improper authentication vulnerability in TP-Link WA850RE (httpd modules) allows unauthenticated attackers to download the configuration file.This issue affects: ≤ WA850RE V2_160527, ≤ WA850RE V3_160922.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
6.5
MEDIUMCVE-2025-66058
Missing Authorization vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.3.17.... Read more
Affected Products : post_grid- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authorization
-
9.8
CRITICALCVE-2025-64236
Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Tuturn allows Authentication Abuse.This issue affects Tuturn: from n/a before 3.6.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
5.0
MEDIUMCVE-2025-62998
Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot allows Retrieve Embedded Sensitive Data.This issue affects WP AI CoPilot: from n/a through 1.2.7.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Information Disclosure
-
7.3
HIGHCVE-2025-68278
Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrar... Read more
Affected Products : tina- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Injection
-
6.8
MEDIUMCVE-2023-30971
Gotham Gaia application was found to be exposing multiple unauthenticated endpoints.... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
6.0
MEDIUMCVE-2025-66910
Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to optimize authentic... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
7.5
HIGHCVE-2025-66909
Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an image decompression bomb denial of service vulnerability. The ExtendedOpenCVImage class in ai/djl/opencv/ExtendedOpenCVImage.java loads images using OpenCV's imread() function without valida... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Denial of Service
-
8.6
HIGHCVE-2025-13008
An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.... Read more
Affected Products : m-files_server- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Information Disclosure
-
7.2
HIGHCVE-2025-64676
'.../...//' in Microsoft Purview allows an authorized attacker to execute code over a network.... Read more
Affected Products : office_purview- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
-
6.9
MEDIUMCVE-2025-13427
An authentication bypass vulnerability in Google Cloud Dialogflow CX Messenger allowed unauthenticated users to interact with restricted chat agents, gaining access to the agents' knowledge and the ability to trigger their intents, by manipulating initial... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
4.8
MEDIUMCVE-2025-14946
A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Misconfiguration
-
7.5
HIGHCVE-2025-66524
Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object s... Read more
Affected Products : nifi- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Misconfiguration
-
6.3
MEDIUMCVE-2025-68161
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguratio... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Misconfiguration
-
7.7
HIGHCVE-2025-14739
Access of Uninitialized Pointer vulnerability in TP-Link WR940N and WR941ND allows local unauthenticated attackers the ability to execute DoS attack and potentially arbitrary code execution under the context of the ‘root’ user.This issue affects WR940N... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Memory Corruption
-
8.2
HIGHCVE-2025-64677
Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.... Read more
Affected Products : office_out_of-box_experience- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
-
7.7
HIGHCVE-2025-68279
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.... Read more
Affected Products : weblate- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Path Traversal