Latest CVE Feed
-
5.9
MEDIUMCVE-2025-57950
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Glen Scott Plugin Security Scanner allows Stored XSS. This issue affects Plugin Security Scanner: from n/a through 2.0.2.... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Cross-Site Scripting
-
7.3
HIGHCVE-2025-55888
Cross-Site Scripting (XSS) vulnerability was discovered in the Ajax transaction manager endpoint of ARD. An attacker can intercept the Ajax response and inject malicious JavaScript into the accountName field. This input is not properly sanitized or encode... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Cross-Site Scripting
-
7.5
HIGHCVE-2025-57925
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in immonex immonex Kickstart Team allows PHP Local File Inclusion. This issue affects immonex Kickstart Team: from n/a through 1.6.9.... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Path Traversal
-
4.2
MEDIUMCVE-2025-0875
Authorization Bypass Through User-Controlled Key vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Parameter Injection.This issue affects OBS (Student Affairs Information System): bef... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Authorization
-
8.6
HIGHCVE-2025-10009
Incorrect handling of uploaded files in the admin "Restore" function in Invoice Ninja <= 5.11.72 allows attackers with admin credentials to execute arbitrary code on the server via uploaded .php files.... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Authentication
-
4.7
MEDIUMCVE-2025-9540
The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-57682
Directory Traversal vulnerability in Papermark 0.20.0 and prior allows authenticated attackers to retrieve arbitrary files from an S3 bucket through its CloudFront distribution via the "POST /api/file/s3/get-presigned-get-url-proxy" API... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Path Traversal
-
4.8
MEDIUMCVE-2025-43807
Stored cross-site scripting (XSS) vulnerability in the notifications widget in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to injec... Read more
- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Cross-Site Scripting
-
7.5
HIGHCVE-2025-36202
IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source.... Read more
Affected Products : webmethods- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Injection
-
5.9
MEDIUMCVE-2025-57912
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dialogity Dialogity Free Live Chat allows Stored XSS. This issue affects Dialogity Free Live Chat: from n/a through 1.0.3.... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Cross-Site Scripting
-
7.7
HIGHCVE-2025-35041
Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9.... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Authentication
-
5.3
MEDIUMCVE-2025-57987
Missing Authorization vulnerability in ThimPress WP Events Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Events Manager: from n/a through 2.2.1.... Read more
Affected Products : wp_events_manager- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Authorization
-
7.1
HIGHCVE-2025-57918
Cross-Site Request Forgery (CSRF) vulnerability in ERA404 LinkedInclude allows Stored XSS. This issue affects LinkedInclude: from n/a through 3.0.4.... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Cross-Site Request Forgery
-
7.1
HIGHCVE-2025-9983
GALAYOU G2 cameras stream video output via RTSP streams. By default these streams are protected by randomly generated credentials. However these credentials are not required to access the stream. Changing these values does not change camera's behavior. T... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Authentication
-
5.8
MEDIUMCVE-2025-59797
Profession Fit 5.0.99 Build 44910 allows authorization bypass via a direct request for /api/challenges/{id} and also URLs for eversports, the user-management page, and the plane page.... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Authorization
-
4.7
MEDIUMCVE-2025-9541
The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Cross-Site Scripting
-
9.8
CRITICALCVE-2025-35042
Airship AI Acropolis includes a default administrative account that uses the same credentials on every installation. Instances of Airship AI that do not change this account password are vulnerable to a remote attacker logging in and gaining the privileges... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Authentication
-
5.1
MEDIUMCVE-2025-25177
Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions.... Read more
Affected Products : ddk- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Memory Corruption
-
5.4
MEDIUMCVE-2025-9035
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Horato Internet Technologies Ind. And Trade Inc. Virtual Library Platform allows Reflected XSS.This issue affects Virtual Library Platform: before... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Cross-Site Scripting
-
5.9
MEDIUMCVE-2025-53469
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mortgage Calculator BMI Adult & Kid Calculator allows Stored XSS. This issue affects BMI Adult & Kid Calculator: from n/a through 1.2.2.... Read more
Affected Products :- Published: Sep. 22, 2025
- Modified: Sep. 22, 2025
- Vuln Type: Cross-Site Scripting