Latest CVE Feed
-
5.9
MEDIUMCVE-2025-68481
FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them t... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Request Forgery
-
6.5
MEDIUMCVE-2025-15014
A security flaw has been discovered in loganhong php loganSite up to c035fb5c3edd0b2a5e32fd4051cbbc9e61a31426. This affects an unknown function of the file /includes/article_detail.php of the component Article Handler. Performing manipulation of the argum... Read more
Affected Products :- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Injection
-
7.2
HIGHCVE-2025-9343
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket subjects in all versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping. This make... Read more
Affected Products : wsdesk- Published: Dec. 21, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
0.0
NACVE-2025-68337
In the Linux kernel, the following vulnerability has been resolved: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted There's issue when file system corrupted: ------------[ cut here ]------------ kernel BUG at fs/jbd2/tr... Read more
Affected Products : linux_kernel- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Misconfiguration
-
7.1
HIGHCVE-2025-14299
The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocat... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Denial of Service
-
7.2
HIGHCVE-2025-14855
The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticate... Read more
Affected Products :- Published: Dec. 21, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
8.7
HIGHCVE-2025-15015
Enterprise Cloud Database developed by Ragic has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.... Read more
Affected Products : enterprise_cloud_database- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Path Traversal
-
2.3
LOWCVE-2025-61738
Under certain circumstances, attacker can capture the network key, read or write encrypted packets on the PowerG network.... Read more
Affected Products :- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cryptography
-
2.7
LOWCVE-2025-12654
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricti... Read more
Affected Products : migration\,_backup\,_staging- Published: Dec. 21, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Misconfiguration
-
4.3
MEDIUMCVE-2023-47232
Vulnerability in mojofywp WP Affiliate Disclosure wp-affiliate-disclosure.This issue affects WP Affiliate Disclosure: from n/a through 1.2.6.... Read more
Affected Products : wp_affiliate_disclosure- Published: Dec. 21, 2025
- Modified: Dec. 23, 2025
-
8.5
HIGHCVE-2025-34290
Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controlled file paths to a privileged service, which performs fi... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Race Condition
-
4.4
MEDIUMCVE-2025-14735
The "Amazon affiliate lite Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for auth... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
9.8
CRITICALCVE-2025-13329
The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes ... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authentication
-
7.1
HIGHCVE-2025-8065
A buffer overflow vulnerability exists in the ONVIF XML parser of Tapo C200 V3. An unauthenticated attacker on the same local network segment can send specially crafted SOAP XML requests, causing memory overflow and device crash, resulting in denial-of-se... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Memory Corruption
-
0.0
NACVE-2025-68338
In the Linux kernel, the following vulnerability has been resolved: net: dsa: microchip: Don't free uninitialized ksz_irq If something goes wrong at setup, ksz_irq_free() can be called on uninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails... Read more
Affected Products : linux_kernel- Published: Dec. 23, 2025
- Modified: Dec. 23, 2025
-
6.4
MEDIUMCVE-2025-14548
The Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'event_desc' parameter in all versions up to, and including, 1.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated... Read more
Affected Products : calendar- Published: Dec. 23, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2023-53964
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated vulnerability in the /usr/cgi-bin/restorefactory.cgi endpoint that allows remote attackers to reset device configuration. Attackers can send a POST request to the endpoint with specific data t... Read more
Affected Products : stream- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authentication
-
0.0
NACVE-2025-68343
In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header The driver expects to receive a struct gs_host_frame in gs_usb_receive_bulk_callback(). Use str... Read more
Affected Products : linux_kernel- Published: Dec. 23, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Memory Corruption
-
5.3
MEDIUMCVE-2025-12820
The Pure WC Variation Swatches WordPress plugin through 1.1.7 does not have an authorization check when updating its settings, which could allow any authenticated users to update them.... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authorization
-
8.7
HIGHCVE-2025-14300
The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authentication