Latest CVE Feed
-
6.4
MEDIUMCVE-2025-13898
The Ultra Skype Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn_id' parameter of the [ultra_skype] shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This m... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2025-12966
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with A... Read more
Affected Products : all-in-one_video_gallery- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Authentication
-
0.0
NACVE-2025-40303
In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I notice... Read more
Affected Products : linux_kernel- Published: Dec. 08, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Misconfiguration
-
0.0
NACVE-2025-40289
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.... Read more
Affected Products : linux_kernel- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Misconfiguration
-
0.0
NACVE-2025-40286
In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree().... Read more
Affected Products : linux_kernel- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Memory Corruption
-
0.0
NACVE-2025-40284
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel... Read more
Affected Products : linux_kernel- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Memory Corruption
-
0.0
NACVE-2025-40278
In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter I... Read more
Affected Products : linux_kernel- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Information Disclosure
-
0.0
NACVE-2025-40287
In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an ex... Read more
Affected Products : linux_kernel- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Denial of Service
-
0.0
NACVE-2025-40285
In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put... Read more
Affected Products : linux_kernel- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Memory Corruption
-
0.0
NACVE-2025-40279
In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the pad... Read more
Affected Products : linux_kernel- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Information Disclosure
-
5.3
MEDIUMCVE-2025-13358
The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Setti... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Authorization
-
6.1
MEDIUMCVE-2025-13626
The myLCO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unau... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Cross-Site Scripting
-
7.5
HIGHCVE-2025-14207
A vulnerability was identified in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. The impacted element is an unknown function of the file /admin/invoiceprint.php. The manipulation of the argument ID leads to sql injecti... Read more
Affected Products :- Published: Dec. 08, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Injection
-
0.0
NACVE-2025-40276
In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachel... Read more
Affected Products : linux_kernel- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Memory Corruption
-
6.5
MEDIUMCVE-2025-14184
A vulnerability was determined in SGAI Space1 NAS N1211DS up to 1.0.915. Impacted is the function RENAME_FILE/OPERATE_FILE/NGNIX_UPLOAD of the file /cgi-bin/JSONAPI of the component gsaiagent. This manipulation causes command injection. The attack may be ... Read more
Affected Products :- Published: Dec. 07, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Injection
-
5.1
MEDIUMCVE-2025-14186
A security flaw has been discovered in Grandstream GXP1625 1.0.7.4. The impacted element is an unknown function of the file /cgi-bin/api.values.post of the component Network Status Page. Performing manipulation of the argument vpn_ip results in basic cros... Read more
Affected Products :- Published: Dec. 07, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Cross-Site Scripting
-
4.3
MEDIUMCVE-2025-13629
The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplp_api_update_text' function. This makes it possible for unauthenticated at... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-12574
The Listar – Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the '/wp-json/listar/v1/place/delete' REST API endpoint in all versions up to, and including... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Authorization
-
7.2
HIGHCVE-2025-12510
The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 13.2.4 due to insufficient input sanitization and output escaping on Google Reviews data imported by the plugin. This ma... Read more
Affected Products : widgets_for_google_reviews- Published: Dec. 06, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Cross-Site Scripting
-
4.2
MEDIUMCVE-2025-8148
An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key.... Read more
Affected Products : goanywhere_managed_file_transfer- Published: Dec. 05, 2025
- Modified: Dec. 08, 2025
- Vuln Type: Authorization