Latest CVE Feed
-
7.3
HIGHCVE-2025-52907
Improper Input Validation vulnerability in TOTOLINK X6000R allows Command Injection, File Manipulation.This issue affects X6000R: through V9.4.0cu.1360_B20241207.... Read more
Affected Products : x6000r_firmware- Published: Sep. 24, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Injection
-
6.5
MEDIUMCVE-2025-20149
A vulnerability in the CLI of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to a... Read more
- Published: Sep. 24, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Denial of Service
-
8.1
HIGHCVE-2025-20160
A vulnerability in the implementation of the TACACS+ protocol in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to view sensitive data or bypass authentication. This vulnerability exists because the system... Read more
- Published: Sep. 24, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Authentication
-
7.7
HIGHCVE-2025-20312
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper ... Read more
Affected Products : ios_xe- Published: Sep. 24, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Denial of Service
-
6.7
MEDIUMCVE-2025-20314
A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute persistent code at boot time and break the chain of trust. ... Read more
Affected Products : ios_xe- Published: Sep. 24, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Misconfiguration
-
7.5
HIGHCVE-2025-57323
mpregular is a package that provides a small program development framework based on RegularJS. A Prototype Pollution vulnerability in the mp.addEventHandler function of mpregular version 0.2.0 and before allows attackers to inject properties on Object.pro... Read more
Affected Products :- Published: Sep. 24, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Injection
-
8.2
HIGHCVE-2025-59827
Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, the /api/admin/assign-badge endpoint lacks proper access control, allowing any authenticated user to assign high-privilege badges (e.g., Staff) to themselves. This could lead to privilege ... Read more
Affected Products :- Published: Sep. 24, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Authorization
-
9.3
CRITICALCVE-2025-52906
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1360_B20241207.... Read more
Affected Products : x6000r_firmware- Published: Sep. 24, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Injection
-
5.9
MEDIUMCVE-2025-60179
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Space Studio Click & Tweet allows Stored XSS. This issue affects Click & Tweet: from n/a through 0.8.9.... Read more
Affected Products :- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Cross-Site Scripting
-
7.2
HIGHCVE-2025-10747
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated attackers, with Ad... Read more
Affected Products : wp-downloadmanager- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Authentication
-
5.4
MEDIUMCVE-2025-60181
Server-Side Request Forgery (SSRF) vulnerability in silence Silencesoft RSS Reader allows Server Side Request Forgery. This issue affects Silencesoft RSS Reader: from n/a through 0.6.... Read more
Affected Products :- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Server-Side Request Forgery
-
4.3
MEDIUMCVE-2025-60093
Cross-Site Request Forgery (CSRF) vulnerability in Shahjada Download Manager allows Cross Site Request Forgery. This issue affects Download Manager: from n/a through 3.3.24.... Read more
Affected Products :- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Cross-Site Request Forgery
-
6.9
MEDIUMCVE-2025-43816
A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through upd... Read more
- Published: Sep. 25, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Memory Corruption
-
8.6
HIGHCVE-2025-10544
Unrestricted file upload vulnerability in DocAve 6.13.2, Perimeter 1.12.3, Compliance Guardian 4.7.1, and earlier versions, allowing administrator users to upload files without proper validation. An attacker could exploit this vulnerability by uploading m... Read more
Affected Products : docave- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Path Traversal
-
7.1
HIGHCVE-2025-60173
Cross-Site Request Forgery (CSRF) vulnerability in Ashwani kumar GST for WooCommerce allows Stored XSS. This issue affects GST for WooCommerce: from n/a through 2.0.... Read more
Affected Products :- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Cross-Site Request Forgery
-
5.9
MEDIUMCVE-2025-60177
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rozx Recaptcha – wp allows Stored XSS. This issue affects Recaptcha – wp: from n/a through 0.2.6.... Read more
Affected Products :- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Cross-Site Scripting
-
8.6
HIGHCVE-2025-34227
Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to ... Read more
Affected Products : nagios_xi- Published: Sep. 25, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Injection
-
7.1
HIGHCVE-2025-59012
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shinetheme Traveler allows Reflected XSS. This issue affects Traveler: from n/a through n/a.... Read more
Affected Products :- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2025-11010
A vulnerability has been found in vstakhov libucl up to 0.9.2. Affected by this vulnerability is the function ucl_include_common of the file /src/ucl_util.c. Such manipulation leads to heap-based buffer overflow. Local access is required to approach this ... Read more
Affected Products : libucl- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Memory Corruption
-
7.1
HIGHCVE-2025-60170
Cross-Site Request Forgery (CSRF) vulnerability in Taraprasad Swain HTACCESS IP Blocker allows Stored XSS. This issue affects HTACCESS IP Blocker: from n/a through 1.0.... Read more
Affected Products :- Published: Sep. 26, 2025
- Modified: Sep. 26, 2025
- Vuln Type: Cross-Site Request Forgery