Latest CVE Feed
-
8.7
HIGHCVE-2025-66473
XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at... Read more
Affected Products : xwiki- Published: Dec. 10, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Denial of Service
-
8.8
HIGHCVE-2025-66474
XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient ... Read more
- Published: Dec. 10, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Injection
-
7.1
HIGHCVE-2025-11699
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate use... Read more
Affected Products : nopcommerce- Published: Dec. 01, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2025-41732
An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_cookie() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.... Read more
- Published: Dec. 10, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2025-41730
An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.... Read more
- Published: Dec. 10, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Memory Corruption
-
7.1
HIGHCVE-2025-41749
An XSS vulnerability in port_util.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability ... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41747
An XSS vulnerability in pxc_vlanIntfCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulne... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41746
An XSS vulnerability in pxc_portSecCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulner... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41748
An XSS vulnerability in pxc_Dot1xCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerabili... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41750
An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerabilit... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41751
An XSS vulnerability in pxc_portCntr.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerabili... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41752
An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerabilit... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-65589
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality.... Read more
Affected Products : nopcommerce- Published: Dec. 16, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-65590
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area.... Read more
Affected Products : nopcommerce- Published: Dec. 16, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-65591
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality.... Read more
Affected Products : nopcommerce- Published: Dec. 16, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-65592
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenev... Read more
Affected Products : nopcommerce- Published: Dec. 16, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2025-65593
nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality.... Read more
Affected Products : nopcommerce- Published: Dec. 16, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Request Forgery
-
8.8
HIGHCVE-2025-11461
Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.... Read more
Affected Products : frappe_crm- Published: Nov. 26, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-2486
The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous... Read more
Affected Products : edk2- Published: Nov. 26, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Misconfiguration
-
8.5
HIGHCVE-2025-13733
BuhoNTFS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions.This issue affects BuhoNTFS: 1.3.2.... Read more
Affected Products : buhontfs- Published: Dec. 12, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authorization