Latest CVE Feed
-
7.5
HIGHCVE-2024-38524
GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except... Read more
- Published: Jun. 10, 2025
- Modified: Aug. 26, 2025
- Vuln Type: Information Disclosure
-
9.3
CRITICALCVE-2024-34711
GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP ... Read more
- Published: Jun. 10, 2025
- Modified: Aug. 26, 2025
- Vuln Type: XML External Entity
-
8.2
HIGHCVE-2024-29198
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoS... Read more
- Published: Jun. 10, 2025
- Modified: Aug. 26, 2025
- Vuln Type: Server-Side Request Forgery
-
7.1
HIGHCVE-2025-49511
Cross-Site Request Forgery (CSRF) vulnerability in uxper Civi Framework allows Cross Site Request Forgery.This issue affects Civi Framework: from n/a through 2.1.6.... Read more
Affected Products :- Published: Jun. 10, 2025
- Modified: Jun. 12, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-49510
Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Min Max Step Quantity Limits Manager for WooCommerce allows Cross Site Request Forgery.This issue affects Min Max Step Quantity Limits Manager for WooCommerce: from n/a through 5.1.0.... Read more
Affected Products :- Published: Jun. 10, 2025
- Modified: Jun. 12, 2025
- Vuln Type: Cross-Site Request Forgery
-
5.3
MEDIUMCVE-2025-49509
Missing Authorization vulnerability in Roland Beaussant Audio Editor & Recorder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Audio Editor & Recorder: from n/a through 2.2.1.... Read more
Affected Products :- Published: Jun. 10, 2025
- Modified: Jun. 12, 2025
- Vuln Type: Authorization
-
9.8
CRITICALCVE-2025-49507
Deserialization of Untrusted Data vulnerability in LoftOcean CozyStay allows Object Injection.This issue affects CozyStay: from n/a before 1.7.1.... Read more
Affected Products :- Published: Jun. 10, 2025
- Modified: Jun. 12, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-49455
Deserialization of Untrusted Data vulnerability in LoftOcean TinySalt allows Object Injection.This issue affects TinySalt: from n/a before 3.10.0.... Read more
Affected Products :- Published: Jun. 10, 2025
- Modified: Jun. 12, 2025
- Vuln Type: Injection
-
8.1
HIGHCVE-2025-49454
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean TinySalt allows PHP Local File Inclusion.This issue affects TinySalt: from n/a before 3.10.0.... Read more
Affected Products :- Published: Jun. 10, 2025
- Modified: Jun. 12, 2025
- Vuln Type: Path Traversal
-
6.4
MEDIUMCVE-2025-4774
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping... Read more
Affected Products : premium_addons_for_elementor- Published: Jun. 10, 2025
- Modified: Jul. 16, 2025
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-4577
The Smash Balloon Social Post Feed – Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and including, 4.3.1 due to insufficient input sanitization and ou... Read more
Affected Products : smash_balloon_social_post_feed- Published: Jun. 10, 2025
- Modified: Jul. 16, 2025
- Vuln Type: Cross-Site Scripting
-
7.5
HIGHCVE-2025-43701
Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of Custom Settings data. This impacts OmniStudio: before version 254.... Read more
Affected Products :- Published: Jun. 10, 2025
- Modified: Jun. 12, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2025-43700
Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of encrypted data. This impacts OmniStudio: before Spring 2025.... Read more
Affected Products :- Published: Jun. 10, 2025
- Modified: Jun. 12, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-43699
Client-Side Enforcement of Server-Side Security vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of required permission check. This impacts OmniStudio: before Spring 2025... Read more
Affected Products :- Published: Jun. 10, 2025
- Modified: Jun. 18, 2025
- Vuln Type: Authorization
-
9.1
CRITICALCVE-2025-43698
Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field level security controls for Salesforce objects. This impacts OmniStudio: before Spring 2025... Read more
Affected Products :- Published: Jun. 10, 2025
- Modified: Jun. 12, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2025-43697
Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (DataMapper) allows exposure of encrypted data. This impacts OmniStudio: before Spring 2025... Read more
Affected Products :- Published: Jun. 10, 2025
- Modified: Jun. 12, 2025
- Vuln Type: Information Disclosure
-
6.4
MEDIUMCVE-2025-2918
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it poss... Read more
Affected Products : ultimate_blocks- Published: Jun. 10, 2025
- Modified: Jul. 14, 2025
- Vuln Type: Cross-Site Scripting
-
4.3
MEDIUMCVE-2025-41657
Due to an undocumented active bluetooth stack on products delivered within the period 01.01.2024 to 09.05.2025 fingerprinting is possible by an unauthenticated adjacent attacker.... Read more
Affected Products :- Published: Jun. 10, 2025
- Modified: Jun. 12, 2025
- Vuln Type: Information Disclosure
-
7.3
HIGHCVE-2024-13090
A privilege escalation vulnerability may enable a service account to elevate its privileges. The sudo rules configured for a local service account were excessively permissive, potentially allowing administrative access if a malicious actor could execut... Read more
- Published: Jun. 10, 2025
- Modified: Jun. 12, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2024-13089
An OS command injection vulnerability within the update functionality may allow an authenticated administrator to execute unauthorized arbitrary OS commands. Users with administrative privileges may upload update packages to upgrade the versions of Noz... Read more
- Published: Jun. 10, 2025
- Modified: Jun. 12, 2025
- Vuln Type: Injection