Latest CVE Feed
-
7.2
HIGHCVE-2025-13376
The ProjectList plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.0. This makes it possible for authenticated attackers, with Editor-level access and above, to upload... Read more
Affected Products :- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Misconfiguration
-
4.3
MEDIUMCVE-2025-13382
The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/fi... Read more
Affected Products : frontend_file_manager_plugin- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authorization
-
8.2
HIGHCVE-2025-12003
A path traversal vulnerability has been identified in WebDAV, which may allow unauthenticated remote attackers to impact the integrity of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more i... Read more
Affected Products : router- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Path Traversal
-
5.4
MEDIUMCVE-2025-13558
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'deleteUserCcDraftPost' function in all versions up to, and including, 8.7.0. This makes i... Read more
Affected Products : blog2social- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authorization
-
7.2
HIGHCVE-2025-13068
The Telegram Bot & Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Telegram username in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthe... Read more
Affected Products : telegram_bot_\&_channel- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Cross-Site Scripting
-
9.3
CRITICALCVE-2025-9803
lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensu... Read more
Affected Products : lunary- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authentication
-
8.5
HIGHCVE-2025-59373
A local privilege escalation vulnerability exists in the restore mechanism of ASUS System Control Interface. It can be triggered when an unprivileged actor copies files without proper validation into protected system paths, potentially leading to arb... Read more
Affected Products : myasus- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Path Traversal
-
9.8
CRITICALCVE-2025-6389
The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that throu... Read more
Affected Products :- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Injection
-
4.3
MEDIUMCVE-2025-12634
The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_refund_status' function in all versions up to, and including, 1.0. This makes it possible for authe... Read more
Affected Products :- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authorization
-
0.0
NACVE-2025-40212
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a "pseudo root filesystem" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a know... Read more
Affected Products : linux_kernel- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Denial of Service
-
4.3
MEDIUMCVE-2025-12587
The Peer Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the website management pages. This makes it possible for unauthenticated attackers to a... Read more
Affected Products :- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Cross-Site Request Forgery
-
9.2
CRITICALCVE-2025-59366
An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to th... Read more
Affected Products : router- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authentication
-
7.5
HIGHCVE-2025-59370
A command injection vulnerability has been identified in bwdpi. A remote, authenticated attacker could leverage this vulnerability to potentially execute arbitrary commands, leading to the device executing unintended instructions. Refer to the 'Security U... Read more
Affected Products : router- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Injection
-
6.9
MEDIUMCVE-2025-41017
Inadequate access control vulnerability in Davantis DDFUSION v6.177.7, which allows unauthorised actors to retrieve perspective parameters from security camera settings by accessing “/cameras/<CAMERA_ID>/perspective”.... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2025-41729
An unauthenticated remote attacker can send a specially crafted Modbus read command to the device which leads to a denial of service.... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Denial of Service
-
7.3
HIGHCVE-2025-12739
An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Sel... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Cross-Site Scripting
-
5.1
MEDIUMCVE-2025-13589
FMS developed by Otsuka Information Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Cross-Site Scripting
-
5.1
MEDIUMCVE-2025-41087
Cross-Site Scripting (XSS) vulnerability stored in tha Taclia web application, where the uploaded SVG images are not properly sanitized. This allows to the attackers to embed malicious scripts in SVG files such as image profiles, which are then stored on ... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Cross-Site Scripting
-
8.7
HIGHCVE-2025-34350
UnForm Server versions < 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature’s 'arc' endpoint. The Doc Flow module uses the 'arc' handler to retrieve and render pages or resources specified by the ... Read more
Affected Products :- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-13414
The Chamber Dashboard Business Directory plugin for WordPress is vulnerable to unauthorized data export due to a missing capability check on the cdash_watch_for_export() function in all versions up to, and including, 3.3.11. This makes it possible for una... Read more
Affected Products : chamber_dashboard_business_directory- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authorization