Latest CVE Feed
- 
                                
                                9.8CRITICALCVE-2025-11052A security flaw has been discovered in kidaze CourseSelectionSystem 1.0/5.php. The impacted element is an unknown function of the file /Profilers/PriProfile/COUNT3s5.php. Performing manipulation of the argument csslc results in sql injection. The attack c... Read more Affected Products : courseselectionsystem- Published: Sep. 27, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Injection
 
- 
                                
                                6.5MEDIUMCVE-2025-11051A vulnerability has been found in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely.... Read more Affected Products : pet_grooming_management_software- Published: Sep. 27, 2025
- Modified: Oct. 03, 2025
- Vuln Type: Cross-Site Request Forgery
 
- 
                                
                                7.2HIGHCVE-2025-9816The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and including, 14.5.4 due to insufficient input sanitization and outp... Read more Affected Products :- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Scripting
 
- 
                                
                                7.5HIGHCVE-2025-3193Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extrem... Read more Affected Products : algoliasearch-helper- Published: Sep. 27, 2025
- Modified: Oct. 05, 2025
- Vuln Type: Injection
 
- 
                                
                                8.8HIGHCVE-2025-11050A flaw has been found in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /periodo-lancamento. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been published and may b... Read more Affected Products : i-educar- Published: Sep. 27, 2025
- Modified: Oct. 03, 2025
- Vuln Type: Authorization
 
- 
                                
                                7.5HIGHCVE-2025-10954Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse() function. An attacker can cause a panic by providing crafted input causing a "runtime ... Read more Affected Products : phonenumbers- Published: Sep. 27, 2025
- Modified: Oct. 03, 2025
- Vuln Type: Denial of Service
 
- 
                                
                                8.8HIGHCVE-2025-11049A vulnerability was detected in Portabilis i-Educar up to 2.10. Affected by this issue is some unknown functionality of the file /unificacao-aluno. Performing manipulation results in improper authorization. Remote exploitation of the attack is possible. T... Read more Affected Products : i-educar- Published: Sep. 27, 2025
- Modified: Oct. 03, 2025
- Vuln Type: Authorization
 
- 
                                
                                4.3MEDIUMCVE-2025-10499The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation on the maybe_opt_in() functi... Read more Affected Products : ninja_forms- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Request Forgery
 
- 
                                
                                4.3MEDIUMCVE-2025-10498The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation when exporting CSV files. This m... Read more Affected Products : ninja_forms- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Request Forgery
 
- 
                                
                                6.4MEDIUMCVE-2025-8440The Team Members plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the first and last name fields in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authen... Read more Affected Products : team_members- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Scripting
 
- 
                                
                                6.1MEDIUMCVE-2025-36239IBM Storage TS4500 Library 1.11.0.0 and 2.11.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading t... Read more Affected Products :- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Scripting
 
- 
                                
                                6.5MEDIUMCVE-2024-43192IBM Storage TS4500 Library 1.11.0.0 and 2.11.0.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.... Read more Affected Products :- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Request Forgery
 
- 
                                
                                8.1HIGHCVE-2025-59945SysReptor is a fully customizable pentest reporting platform. In versions from 2024.74 to before 2025.83, authenticated and unprivileged (non-admin) users can assign the is_project_admin permission to their own user. This allows users to read, modify and ... Read more Affected Products :- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Authorization
 
- 
                                
                                8.8HIGHCVE-2025-59939WeGIA is a Web manager for charitable institutions. Prior to version 3.5.0, WeGIA is vulnerable to SQL Injection attacks in the control.php endpoint with the following parameters: nomeClasse=ProdutoControle&metodo=excluir&id_produto=[malicious command]. I... Read more Affected Products : wegia- Published: Sep. 27, 2025
- Modified: Oct. 06, 2025
- Vuln Type: Injection
 
- 
                                
                                6.5MEDIUMCVE-2025-59938Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions starting from 3.8.0 to before 4.11.0, wazuh-analysisd is vulnerable to a heap buffer overflow when parsing XML elements from Windows EventChannel mes... Read more Affected Products : wazuh- Published: Sep. 27, 2025
- Modified: Oct. 16, 2025
- Vuln Type: Memory Corruption
 
- 
                                
                                9.4CRITICALCVE-2025-59936get-jwks contains fetch utils for JWKS keys. In versions prior to 11.0.2, a vulnerability in get-jwks can lead to cache poisoning in the JWKS key-fetching mechanism. When the iss (issuer) claim is validated only after keys are retrieved from the cache, it... Read more Affected Products :- Published: Sep. 27, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Misconfiguration
 
- 
                                
                                8.6HIGHCVE-2025-59932Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.1, the /api/resources endpoint previously allowed POST and DELETE requests without proper authentication or authorization. This could have enabled unauthorized users to cre... Read more Affected Products : flagforge- Published: Sep. 27, 2025
- Modified: Oct. 08, 2025
- Vuln Type: Authentication
 
- 
                                
                                5.5MEDIUMCVE-2025-36144IBM Lakehouse (watsonx.data 2.2) stores potentially sensitive information in log files that could be read by a local user.... Read more Affected Products : watsonx.data- Published: Sep. 27, 2025
- Modified: Oct. 03, 2025
- Vuln Type: Information Disclosure
 
- 
                                
                                9.4CRITICALCVE-2025-59934Formbricks is an open source qualtrics alternative. Prior to version 4.0.1, Formbricks is missing JWT signature verification. This vulnerability stems from a token validation routine that only decodes JWTs (jwt.decode) without verifying their signatures. ... Read more Affected Products :- Published: Sep. 26, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Authentication
 
- 
                                
                                8.2HIGHCVE-2025-59845Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified... Read more Affected Products :- Published: Sep. 26, 2025
- Modified: Sep. 29, 2025
- Vuln Type: Cross-Site Request Forgery
 
 
                         
                         
                         
                                             
                                            