Latest CVE Feed
-
8.8
HIGHCVE-2025-13227
Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)... Read more
- Published: Nov. 18, 2025
- Modified: Nov. 19, 2025
- Vuln Type: Memory Corruption
-
8.8
HIGHCVE-2025-13228
Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)... Read more
- Published: Nov. 18, 2025
- Modified: Nov. 19, 2025
- Vuln Type: Memory Corruption
-
8.8
HIGHCVE-2025-13229
Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)... Read more
- Published: Nov. 18, 2025
- Modified: Nov. 19, 2025
- Vuln Type: Memory Corruption
-
8.8
HIGHCVE-2025-13230
Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)... Read more
- Published: Nov. 18, 2025
- Modified: Nov. 19, 2025
- Vuln Type: Memory Corruption
-
8.8
HIGHCVE-2025-13345
A security vulnerability has been detected in SourceCodester Train Station Ticketing System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_ticket. Such manipulation leads to sql injection. The attack can be lau... Read more
- Published: Nov. 18, 2025
- Modified: Nov. 19, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-13344
A weakness has been identified in SourceCodester Train Station Ticketing System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=login. This manipulation of the argument Username causes sql injection. The attack... Read more
- Published: Nov. 18, 2025
- Modified: Nov. 19, 2025
- Vuln Type: Injection
-
8.8
HIGHCVE-2025-13325
A vulnerability was determined in itsourcecode Student Information System 1.0. The affected element is an unknown function of the file /enrollment_edit1.php. Executing manipulation of the argument en_id can lead to sql injection. The attack may be perform... Read more
Affected Products : student_information_system- Published: Nov. 18, 2025
- Modified: Nov. 19, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-13323
A security flaw has been discovered in code-projects Simple Pizza Ordering System 1.0. Affected is an unknown function of the file /listorder.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. T... Read more
Affected Products : simple_pizza_ordering_system- Published: Nov. 18, 2025
- Modified: Nov. 19, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-13306
A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Impacted is the function system of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to command injection. Remote expl... Read more
- Published: Nov. 18, 2025
- Modified: Nov. 18, 2025
- Vuln Type: Injection
-
5.3
MEDIUMCVE-2025-64766
NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25.11, a hard-coded secret was used in the NixOS module fo... Read more
Affected Products :- Published: Nov. 17, 2025
- Modified: Nov. 18, 2025
- Vuln Type: Misconfiguration
-
3.2
LOWCVE-2025-12792
The Mac App Store distribution of the Canva for Mac desktop app before 1.117.1 was built without Hardened Runtime. A local threat actor with unprivileged access could execute arbitrary code that inherits the TCC (Transparency, Consent, and Control) permis... Read more
Affected Products : canva- Published: Nov. 18, 2025
- Modified: Nov. 18, 2025
- Vuln Type: Misconfiguration
-
8.1
HIGHCVE-2025-12528
The Pie Forms for WP plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.6 via the format_classic function. This is due to insufficient file type validation where the validate_classic method validates file e... Read more
Affected Products :- Published: Nov. 18, 2025
- Modified: Nov. 18, 2025
- Vuln Type: Misconfiguration
-
7.2
HIGHCVE-2025-4212
The Checkout Files Upload for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for... Read more
Affected Products :- Published: Nov. 18, 2025
- Modified: Nov. 18, 2025
- Vuln Type: Cross-Site Scripting
-
5.7
MEDIUMCVE-2025-52457
Observable Timing Discrepancy (CWE-208) in HBUS devices may allow an attacker with physical access to the device to extract device-specific keys, potentially compromising further site security. This issue affects Command Centre Server: 9.30 prior to vC... Read more
Affected Products :- Published: Nov. 18, 2025
- Modified: Nov. 18, 2025
- Vuln Type: Information Disclosure
-
6.4
MEDIUMCVE-2025-11868
The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `everviz` shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a `<d... Read more
Affected Products :- Published: Nov. 18, 2025
- Modified: Nov. 18, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-12937
The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acf_flm_update_template_with_pasted_layout' function in all versions up to, and including, 1.1.6. This makes... Read more
Affected Products :- Published: Nov. 18, 2025
- Modified: Nov. 18, 2025
- Vuln Type: Authorization
-
6.4
MEDIUMCVE-2025-8605
The Gutenify – Visual Site Builder Blocks & Site Templates. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.5.9 due to insufficient input sanitization and output e... Read more
Affected Products :- Published: Nov. 18, 2025
- Modified: Nov. 18, 2025
- Vuln Type: Cross-Site Scripting
-
4.3
MEDIUMCVE-2025-12639
The wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to access... Read more
Affected Products :- Published: Nov. 18, 2025
- Modified: Nov. 18, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-9625
The Coil Web Monetization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the coil-get-css-selector parameter handling in the maybe_restr... Read more
Affected Products :- Published: Nov. 18, 2025
- Modified: Nov. 18, 2025
- Vuln Type: Cross-Site Request Forgery
-
7.2
HIGHCVE-2025-11620
The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpu_add_multiple_roles_ui' and 'mrpu_save_multiple_user_roles' functions in all versions up to, and including, 1... Read more
Affected Products :- Published: Nov. 18, 2025
- Modified: Nov. 18, 2025
- Vuln Type: Authorization