Latest CVE Feed
-
8.6
HIGHCVE-2025-12465
A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but... Read more
Affected Products : quick.cms- Published: Dec. 02, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Injection
-
4.6
MEDIUMCVE-2025-66403
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 2.2.3, a stored cross-site scripting (XSS) vulnerability exists in the Filerise application due to improper handling of uploaded SVG files. Th... Read more
Affected Products : filerise- Published: Dec. 01, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Cross-Site Scripting
-
9.0
CRITICALCVE-2025-13828
SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install ... Read more
Affected Products : mautic- Published: Dec. 02, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Misconfiguration
-
8.7
HIGHCVE-2025-55749
XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessi... Read more
Affected Products : xwiki- Published: Dec. 01, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-13606
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This mak... Read more
Affected Products : export_all_posts\,_products\,_orders\,_refunds_\&_users- Published: Dec. 02, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Cross-Site Request Forgery
-
7.7
HIGHCVE-2025-13000
The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks... Read more
Affected Products :- Published: Dec. 02, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Authorization
-
4.1
MEDIUMCVE-2025-13001
The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks... Read more
Affected Products :- Published: Dec. 02, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Injection
-
7.5
HIGHCVE-2025-13295
Insertion of Sensitive Information Into Sent Data vulnerability in Argus Technology Inc. BILGER allows Choosing Message Identifier.This issue affects BILGER: before 2.4.9.... Read more
Affected Products :- Published: Dec. 02, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Information Disclosure
-
5.1
MEDIUMCVE-2025-13879
Directory traversal vulnerability in SOLIDserver IPAM v8.2.3. This vulnerability allows an authenticated user with administrator privileges to list directories other than those to which the have authorized access using the 'directory' parameter in '/mod/a... Read more
Affected Products : solidserver_ipam- Published: Dec. 02, 2025
- Modified: Dec. 02, 2025
- Vuln Type: Path Traversal