Latest CVE Feed
-
4.4
MEDIUMCVE-2025-12032
The Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘vithanhlam_zsocial_save_messager’, 'vithanhlam_zsocial_save_zalo', 'vithanhlam_zsocial_save_hotline', and 'vithanhlam_zsocial_save_... Read more
Affected Products :- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Cross-Site Scripting
-
4.4
MEDIUMCVE-2025-13311
The Just Highlight plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Highlight Color' setting in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authe... Read more
Affected Products :- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2025-13386
The Social Images Widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'options_update' function in all versions up to, and including, 2.1. This makes it possible for unauthenticated atta... Read more
Affected Products :- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authorization
-
5.1
MEDIUMCVE-2025-65944
Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including th... Read more
Affected Products : astro- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Information Disclosure
-
9.3
CRITICALCVE-2018-25126
Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML reques... Read more
Affected Products : nvms-9000_firmware- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Injection
-
7.3
HIGHCVE-2025-52539
A buffer overflow with Xilinx Run Time Environment may allow a local attacker to read or corrupt data from the advanced extensible interface (AXI), potentially resulting in loss of confidentiality, integrity, and/or availability.... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Memory Corruption
-
6.4
MEDIUMCVE-2025-12645
The Inline frame – Iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedsite' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attrib... Read more
Affected Products :- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2025-56400
Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an at... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Cross-Site Request Forgery
-
6.0
MEDIUMCVE-2025-59368
An integer underflow vulnerability has been identified in Aicloud. An authenticated attacker may trigger this vulnerability by sending a crafted request, potentially impacting the availability of the device. Refer to the ' Security Update for ASUS Router... Read more
Affected Products : router- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Denial of Service
-
4.9
MEDIUMCVE-2025-13370
The ProjectList plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 0.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin... Read more
Affected Products :- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-63958
MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Information Disclosure
-
8.7
HIGHCVE-2025-41016
Inadequate access control vulnerability in Davantis DFUSION v6.177.7, which allows unauthorised actors to extract images and videos related to alarm events through access to “/alarms/<ALARM_ID>/<MEDIA>”, where the “MEDIA” parameter can take the value of “... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-63914
An issue was discovered in Cinnamon kotaemon 0.11.0. The _may_extract_zip function in the \libs\ktem\ktem\index\file\ui.py file does not check the contents of uploaded ZIP files. Although the contents are extracted into a temporary folder that is cleared ... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Denial of Service
-
5.3
MEDIUMCVE-2025-13405
The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptb_delete_custom_taxonomy() function in all versions up to, and including, 1.9. This makes it possible f... Read more
Affected Products :- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authorization
-
6.9
MEDIUMCVE-2025-41017
Inadequate access control vulnerability in Davantis DDFUSION v6.177.7, which allows unauthorised actors to retrieve perspective parameters from security camera settings by accessing “/cameras/<CAMERA_ID>/perspective”.... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authorization
-
5.5
MEDIUMCVE-2025-13466
body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, cau... Read more
Affected Products : body-parser- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-63953
A Cross-Site Request Forgery (CSRF) in the /usapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request.... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Cross-Site Request Forgery
-
5.3
MEDIUMCVE-2025-13404
The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicate_post() function in all versions up to, and including, 1.2.20. This makes it possible for authentica... Read more
Affected Products :- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authorization
-
0.0
NACVE-2025-40213
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. ... Read more
Affected Products : linux_kernel- Published: Nov. 24, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Memory Corruption
-
4.3
MEDIUMCVE-2025-13452
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that... Read more
Affected Products :- Published: Nov. 25, 2025
- Modified: Nov. 25, 2025
- Vuln Type: Authorization