Latest CVE Feed
-
9.3
CRITICALCVE-2025-12140
The application contains an insecure 'redirectToUrl' mechanism that incorrectly processes the value of the 'redirectUrlParameter' parameter. The application interprets the entered string of characters as a Java expression, allowing an unauthenticated atta... Read more
Affected Products :- Published: Nov. 27, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Injection
-
4.8
MEDIUMCVE-2025-13762
Improper Input Validation vulnerability in CyberArk CyberArk Secure Web Sessions Extension on Chrome, Edge allows Denial of Service when trying to starting new SWS sessions.This issue affects CyberArk Secure Web Sessions Extension: before 2.2.30305.... Read more
Affected Products :- Published: Nov. 27, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Denial of Service
-
4.3
MEDIUMCVE-2025-13737
The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validation on the 'unlinkUser' function. This makes it possible ... Read more
Affected Products : nextend_social_login- Published: Nov. 28, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Cross-Site Request Forgery
-
8.7
HIGHCVE-2020-36874
ACE SECURITY WIP-90113 HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication ... Read more
Affected Products :- Published: Nov. 26, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Information Disclosure
-
8.7
HIGHCVE-2020-36871
ESCAM QD-900 WIFI HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint allows remote download of a compressed configuration backup without requiring authentication or aut... Read more
Affected Products :- Published: Nov. 26, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Information Disclosure
-
9.2
CRITICALCVE-2024-5539
The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation serv... Read more
Affected Products :- Published: Nov. 27, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authorization
-
9.8
CRITICALCVE-2025-13615
The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system r... Read more
Affected Products :- Published: Nov. 30, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-66421
Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69.... Read more
Affected Products :- Published: Nov. 30, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Cross-Site Scripting
-
7.5
HIGHCVE-2025-41738
An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service (DoS) condition.... Read more
- Published: Dec. 01, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Denial of Service
-
5.4
MEDIUMCVE-2025-13296
Cross-Site Request Forgery (CSRF) vulnerability in Tekrom Technology Inc. T-Soft E-Commerce allows Cross Site Request Forgery.This issue affects T-Soft E-Commerce: through 28112025.... Read more
Affected Products :- Published: Dec. 01, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-10476
The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpfc_db_fix_callback() function in all versions up to, and including, 1.4.0. This makes it possible for authenticated att... Read more
Affected Products : wp_fastest_cache- Published: Nov. 27, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2025-65278
An issue was discovered in file users.json in GroceryMart commit 21934e6 (2020-10-23) allowing unauthenticated attackers to gain sensitive information including plaintext usernames and passwords.... Read more
Affected Products :- Published: Nov. 26, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Information Disclosure
-
6.9
MEDIUMCVE-2024-5540
The reflective cross-site scripting vulnerability found in ALC WebCTRL and Carrier i-Vu in versions older than 8.0 affects login panels allowing a malicious actor to compromise the client browser .... Read more
Affected Products :- Published: Nov. 27, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Cross-Site Scripting
-
8.7
HIGHCVE-2025-0658
A vulnerability in Automated Logic and Carrier's Zone Controller via BACnet protocol causes the device to crash. The device enters a fault state; after a reset, a second packet can leave it permanently unresponsive until a manual power cycle is performed.... Read more
- Published: Nov. 27, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Denial of Service
-
4.3
MEDIUMCVE-2025-12578
The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class-reuters-direct-settings.php' page. This makes it possib... Read more
Affected Products :- Published: Nov. 27, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Cross-Site Request Forgery
-
7.2
HIGHCVE-2025-13692
The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for un... Read more
Affected Products : unlimited_elements_for_elementor- Published: Nov. 27, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2025-12579
The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'logoff' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to reset ... Read more
Affected Products :- Published: Nov. 27, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authorization
-
9.4
CRITICALCVE-2025-66385
UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in th... Read more
Affected Products : cerebrate- Published: Nov. 28, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authorization
-
6.9
MEDIUMCVE-2025-12143
Stack-based Buffer Overflow vulnerability in ABB Terra AC wallbox.This issue affects Terra AC wallbox: through 1.8.33.... Read more
Affected Products :- Published: Nov. 28, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Memory Corruption
-
8.4
HIGHCVE-2025-66223
OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same ... Read more
Affected Products : openobserve- Published: Nov. 29, 2025
- Modified: Dec. 01, 2025
- Vuln Type: Authorization