Latest CVE Feed
-
4.3
MEDIUMCVE-2025-12180
The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the `qi-blocks/v1/update-styles` REST API endpoint without proper s... Read more
Affected Products : qi_blocks- Published: Nov. 01, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Authorization
-
8.8
HIGHCVE-2025-12171
The RESTful Content Syndication plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ingest_image() function in versions 1.1.0 to 1.5.0. This makes it possible for authenticated attackers, with Author-lev... Read more
Affected Products :- Published: Nov. 01, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-35021
By failing to authenticate three times to an unconfigured Abilis CPX device via SSH, an attacker can login to a restricted shell on the fourth attempt, and from there, relay connections.... Read more
Affected Products :- Published: Nov. 04, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Authentication
-
6.8
MEDIUMCVE-2025-11193
A potential vulnerability was reported in some Lenovo Tablets that could allow a local authenticated user or application to gain access to sensitive device specific information.... Read more
Affected Products :- Published: Nov. 03, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Information Disclosure
-
7.1
HIGHCVE-2025-12503
EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.... Read more
Affected Products : easyflow_.net- Published: Nov. 03, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Injection
-
5.9
MEDIUMCVE-2025-12657
The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.... Read more
Affected Products : mongodb- Published: Nov. 03, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Memory Corruption
-
6.8
MEDIUMCVE-2025-60892
An issue in Raspberry Pi Imager version 1.9.6 for Windows, affecting its OS customization feature. The imager's 'public-key authentication' setting unintentionally re-adds a user's id_rsa.pub key from their local Windows machine to the authorized_keys fil... Read more
Affected Products :- Published: Nov. 03, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Authentication
-
6.4
MEDIUMCVE-2025-11922
The Inactive Logout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ina_redirect_page_individual_user' parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes ... Read more
Affected Products :- Published: Nov. 01, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-63443
School Management System PHP v1.0 is vulnerable to Cross Site Scripting (XSS) in /login.php via the password parameter.... Read more
Affected Products :- Published: Nov. 03, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-48397
The privileged user could log in without sufficient credentials after enabling an application protocol. This security issue has been fixed in the latest script patch latest version of of Eaton BLSS (7.3.0.SCP004).... Read more
Affected Products :- Published: Nov. 03, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Authentication
-
8.3
HIGHCVE-2025-48396
Arbitrary code execution is possible due to improper validation of the file upload functionality in Eaton BLSS. This security issue has been fixed in the latest script patch latest version of of Eaton BLSS (7.3.0.SCP004).... Read more
Affected Products :- Published: Nov. 03, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Injection
-
5.3
MEDIUMCVE-2025-12041
The ERI File Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'erifl_file' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to d... Read more
Affected Products :- Published: Oct. 31, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Authorization
-
4.9
MEDIUMCVE-2025-12137
The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin's REST API endpoint accepting arbitrary absolute file paths... Read more
Affected Products : import_wp- Published: Nov. 01, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Path Traversal
-
8.8
HIGHCVE-2025-6574
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user's identity prior to updating their details like... Read more
Affected Products :- Published: Nov. 01, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Authentication
-
4.3
MEDIUMCVE-2025-11377
The List category posts plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 0.92.0 via the 'catlist' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authent... Read more
Affected Products : list_category_posts- Published: Nov. 01, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Information Disclosure
-
9.8
CRITICALCVE-2025-6520
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Abis Technology BAPSIS allows Blind SQL Injection.This issue affects BAPSIS: before 202510271606.... Read more
Affected Products : bapsis- Published: Oct. 31, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Injection
-
5.1
MEDIUMCVE-2025-64387
The web application is vulnerable to a so-called ‘clickjacking’ attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on... Read more
Affected Products : tcprs1plus- Published: Oct. 31, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Cross-Site Request Forgery
-
6.8
MEDIUMCVE-2025-4952
Tampering of the registry entries might have led to preventing the ESET security products from starting correctly on the next system startup or to unauthorized changes in the product's configuration.... Read more
- Published: Oct. 31, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Misconfiguration
-
6.3
MEDIUMCVE-2025-11602
Potential information leak in bolt protocol handshake in Neo4j Enterprise and Community editions allows attacker to obtain one byte of information from previous connections. The attacker has no control over the information leaked in server responses.... Read more
- Published: Oct. 31, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Information Disclosure
-
0.0
NACVE-2025-40106
In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if cha... Read more
Affected Products : linux_kernel- Published: Oct. 31, 2025
- Modified: Nov. 04, 2025
- Vuln Type: Denial of Service