Latest CVE Feed
-
6.5
MEDIUMCVE-2025-14744
Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS < 144.0.... Read more
Affected Products : firefox- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Information Disclosure
-
6.1
MEDIUMCVE-2025-9787
Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view.... Read more
Affected Products : manageengine_applications_manager- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-65009
In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question. The vendor was notified early about t... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Information Disclosure
-
7.5
HIGHCVE-2025-1031
Authorization Bypass Through User-Controlled Key vulnerability in Utarit Informatics Services Inc. SoliClub allows Functionality Misuse.This issue affects SoliClub: from 5.2.4 before 5.3.7.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authorization
-
7.1
HIGHCVE-2025-65010
WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) is vulnerable to Broken Access Control in initial configuration wizard.cgi endpoint. Malicious attacker can change admin panel password without authorization. The vulnerability can also be exp... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
4.3
MEDIUMCVE-2025-7047
Missing Authorization vulnerability in Utarit Informatics Services Inc. SoliClub allows Privilege Abuse.This issue affects SoliClub: before 5.3.7.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authorization
-
0.0
NACVE-2025-68325
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen and backlog of the qdisc hierarchy. Its caller, cak... Read more
Affected Products : linux_kernel- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Memory Corruption
-
9.8
CRITICALCVE-2025-64236
Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Tuturn allows Authentication Abuse.This issue affects Tuturn: from n/a before 3.6.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication
-
4.9
MEDIUMCVE-2025-58053
Galette is a membership management web application for non profit organizations. Prior to version 1.2.0, while updating any existing account with a self forged POST request, one can gain higher privileges. Version 1.2.0 fixes the issue.... Read more
Affected Products : galette- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-58052
Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role... Read more
Affected Products : galette- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-62002
BullWall Ransomware Containment relies on the number of file modifications to trigger detection. An authenticated attacker could encrypt a single large file without triggering a detection alert. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirm... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Denial of Service
-
3.8
LOWCVE-2025-14882
An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.... Read more
Affected Products : pretix- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-12361
The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7.1. This is due to the plugin not properly verifying that a user ... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authorization
-
6.1
MEDIUMCVE-2025-14151
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'outbound_resource' parameter in the slimtrack AJAX action in all versions up to, and including, 5.3.2. This is due to insufficient input sanitization and out... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.2
HIGHCVE-2025-13999
The HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions from 2.4.0 up to, and including, 2.5.1 via the getIcyMetadata() function. This makes it possible fo... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Server-Side Request Forgery
-
5.3
MEDIUMCVE-2025-13754
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at `/w... Read more
Affected Products : simply_schedule_appointments- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Information Disclosure
-
8.3
HIGHCVE-2025-64675
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network.... Read more
Affected Products : cosmos_db- Published: Dec. 19, 2025
- Modified: Dec. 19, 2025
-
7.5
HIGHCVE-2025-53710
Due to a product misconfiguration in certain deployment types, it was possible from different pods in the same namespace to communicate with each other. This issue resulted in bypass of access control due to the presence of a vulnerable endpoint in Foundr... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Misconfiguration
-
8.3
HIGHCVE-2025-14884
A vulnerability was detected in D-Link DIR-605 202WWB03. Affected by this issue is some unknown functionality of the component Firmware Update Service. Performing manipulation results in command injection. The attack can be initiated remotely. The exploit... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Injection
-
5.0
MEDIUMCVE-2025-62998
Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot allows Retrieve Embedded Sensitive Data.This issue affects WP AI CoPilot: from n/a through 1.2.7.... Read more
Affected Products :- Published: Dec. 18, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Information Disclosure