Latest CVE Feed
-
7.1
HIGHCVE-2025-34294
Wazuh's File Integrity Monitoring (FIM), when configured with automatic threat removal, contains a time-of-check/time-of-use (TOCTOU) race condition that can allow a local, low-privileged attacker to cause the Wazuh service (running as NT AUTHORITY\SYSTEM... Read more
Affected Products :- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Race Condition
-
0.0
NACVE-2025-40027
In the Linux kernel, the following vulnerability has been resolved: net/9p: fix double req put in p9_fd_cancelled Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEM... Read more
Affected Products : linux_kernel- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Race Condition
-
9.8
CRITICALCVE-2025-36386
IBM Maximo Application Suite 9.0.0 through 9.0.15 and 9.1.0 through 9.1.4 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.... Read more
Affected Products : maximo_application_suite- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Authentication
-
8.3
HIGHCVE-2025-58356
Constellation is the first Confidential Kubernetes. The Constellation CVM image uses LUKS2-encrypted volumes for persistent storage. When opening an encrypted storage device, the CVM uses the libcryptsetup function crypt_activate_by_passhrase. If the VM i... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Cryptography
-
5.1
MEDIUMCVE-2025-34314
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the SRC, DST, and COMMENT parameters when creating a time constrain... Read more
Affected Products : ipfire- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Cross-Site Scripting
-
7.5
HIGHCVE-2025-12325
A vulnerability has been found in SourceCodester Best Salon Management System 1.0. This affects an unknown part of the file /panel/forgot-password.php. The manipulation of the argument email leads to sql injection. The attack can be initiated remotely. Th... Read more
Affected Products : best_salon_management_system- Published: Oct. 27, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Injection
-
7.5
HIGHCVE-2025-61101
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_rmt_itf_addr function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.... Read more
Affected Products :- Published: Oct. 27, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Denial of Service
-
9.8
CRITICALCVE-2025-60355
zhangyd-c OneBlog before 2.3.9 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.... Read more
Affected Products :- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Injection
-
5.1
MEDIUMCVE-2025-34301
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code into the COUNTRY_CODE parameter when creating a location group. When a user... Read more
Affected Products : ipfire- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Cross-Site Scripting
-
7.5
HIGHCVE-2025-54604
Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 1 of 2).... Read more
Affected Products :- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Denial of Service
-
5.8
MEDIUMCVE-2025-62796
PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Versions 1.7.7 through 2.0.1 allow persistent HTML injection via the unsanitized attachment filename (attachment_name) when attachments are enabled. An attacker can modif... Read more
Affected Products : privatebin- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-34304
IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the CONNECTION_NAME parameter. When viewing a range of Op... Read more
Affected Products : ipfire- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Injection
-
0.0
NACVE-2025-40037
In the Linux kernel, the following vulnerability has been resolved: fbdev: simplefb: Fix use after free in simplefb_detach_genpds() The pm_domain cleanup can not be devres managed as it uses struct simplefb_par which is allocated within struct fb_info b... Read more
Affected Products : linux_kernel- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Memory Corruption
-
9.6
CRITICALCVE-2025-4665
WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure deserialization (PHP Object Injection). The weakness arises due to insufficient validation ... Read more
Affected Products : cfdb7- Published: Oct. 29, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-12347
A flaw has been found in MaxSite CMS up to 109. This issue affects some unknown processing of the file application/maxsite/admin/plugins/editor_files/save-file-ajax.php. Executing manipulation of the argument file_path/content can lead to unrestricted upl... Read more
Affected Products : cms- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Misconfiguration
-
5.0
MEDIUMCVE-2025-62781
PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.8.0, users with a local account can change their password while logged in. When doing so, all other active sessions are terminated, except for the currently ... Read more
Affected Products : pilos- Published: Oct. 27, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Authentication
-
5.1
MEDIUMCVE-2025-34310
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the INC_SPD, OUT_SPD, DEFCLASS_INC, and DEFCLASS_OUT parameters whe... Read more
Affected Products : ipfire- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Cross-Site Scripting
-
9.1
CRITICALCVE-2025-61235
An issue was discovered in Dataphone A920 v2025.07.161103. A custom packet based on public documentation can be crafted, where some fields can contain arbitrary or trivial data. Normally, such data should cause the device to reject the packet. However, du... Read more
Affected Products :- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Authentication
-
5.1
MEDIUMCVE-2025-34305
IPFire versions prior to 2.29 (Core Update 198) contain multiple stored cross-site scripting (XSS) vulnerabilities caused by a bug in the cleanhtml() function (/var/ipfire/header.pl) that fails to apply HTML-entity encoding to user input. When an authenti... Read more
Affected Products : ipfire- Published: Oct. 28, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Cross-Site Scripting
-
1.2
LOWCVE-2025-62779
Frappe Learning is a learning system that helps users structure their content. In Frappe Learning 2.39.1 and earlier, users were able to add HTML through input fields in the Job Form.... Read more
Affected Products : learning- Published: Oct. 27, 2025
- Modified: Oct. 30, 2025
- Vuln Type: Misconfiguration