Latest CVE Feed
-
0.0
NACVE-2023-53299
In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix leak of 'r10bio->remaining' for recovery raid10_sync_request() will add 'r10bio->remaining' for both rdev and replacement rdev. However, if the read io fails, recovery_re... Read more
Affected Products : linux_kernel- Published: Sep. 16, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Memory Corruption
-
3.2
LOWCVE-2025-59437
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current vers... Read more
Affected Products : ip- Published: Sep. 16, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Server-Side Request Forgery
-
6.5
MEDIUMCVE-2025-5518
Authorization Bypass Through User-Controlled Key vulnerability with user privileges in ArgusTech BILGER allows Exploitation of Trusted Identifiers.This issue affects BILGER: before 2.4.6.... Read more
Affected Products :- Published: Sep. 16, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Authorization
-
5.3
MEDIUMCVE-2025-9808
The The Events Calendar plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.15.2 via the REST endpoint. This makes it possible for unauthenticated attackers to extract information about password-protected ven... Read more
Affected Products : the_events_calendar- Published: Sep. 16, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Information Disclosure
-
4.8
MEDIUMCVE-2025-10015
The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the applicatio... Read more
Affected Products :- Published: Sep. 16, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Authorization
-
5.4
MEDIUMCVE-2025-6575
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dolusoft Omaspot allows Reflected XSS.This issue affects Omaspot: before 12.09.2025.... Read more
Affected Products :- Published: Sep. 16, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Cross-Site Scripting
-
9.6
CRITICALCVE-2025-7743
Cleartext Transmission of Sensitive Information vulnerability in Dolusoft Omaspot allows Interception, Privilege Escalation.This issue affects Omaspot: before 12.09.2025.... Read more
Affected Products :- Published: Sep. 16, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Cryptography
-
5.3
MEDIUMCVE-2025-43797
In Liferay Portal 7.1.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions, the default membership type of a newly created site is “Open” which allo... Read more
- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Misconfiguration
-
8.8
HIGHCVE-2025-59145
color-name is a JSON with CSS color names. On 8 September 2025, an npm publishing account for color-name was taken over after a phishing attack. Version 2.0.1 was published, functionally identical to the previous patch version, but with a malware payload ... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Supply Chain
-
6.3
MEDIUMCVE-2025-55211
FreePBX is an open-source web-based graphical user interface. From 17.0.19.11 to before 17.0.21, authenticated users of the Administrator Control Panel (ACP) can run arbitrary shell commands by maliciously changing languages of the framework module. This ... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Injection
-
9.8
CRITICALCVE-2025-7744
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dolusoft Omaspot allows SQL Injection.This issue affects Omaspot: before 12.09.2025.... Read more
Affected Products :- Published: Sep. 16, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Injection
-
6.9
MEDIUMCVE-2025-43799
Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a us... Read more
- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Authorization
-
8.8
HIGHCVE-2025-59162
color-convert provides plain color conversion functions in JavaScript. On 8 September 2025, the npm publishing account for color-convert was taken over after a phishing attack. Version 3.1.1 was published, functionally identical to the previous patch vers... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Supply Chain
-
6.8
MEDIUMCVE-2025-10475
A weakness has been identified in SpyShelter up to 15.4.0.1015. Affected is an unknown function in the library SpyShelter.sys of the component IOCTL Handler. This manipulation causes denial of service. The attack needs to be launched locally. The exploit ... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Denial of Service
-
5.4
MEDIUMCVE-2025-45091
Seafile versions 11.0.18-Pro, 12.0.10, and 12.0.10-Pro are vulnerable to a stored Cross-Site Scripting (XSS) attack. An authenticated attacker can exploit this vulnerability by modifying their username to include a malicious XSS payload in notification an... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Cross-Site Scripting
-
3.1
LOWCVE-2025-59398
The OCPP implementation in libocpp before 0.26.2 allows a denial of service (EVerest crash) via JSON input larger than 255 characters, because a CiString<255> object is created with StringTooLarge set to Throw.... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Denial of Service
-
4.8
MEDIUMCVE-2025-43791
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 36 allow remote attackers to inject arbitrary web scr... Read more
- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Cross-Site Scripting
-
8.8
HIGHCVE-2025-59144
debug is a JavaScript debugging utility. On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added ... Read more
Affected Products : debug- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Supply Chain
-
6.9
MEDIUMCVE-2025-59155
hackmd-mcp is a Model Context Protocol server for integrating HackMD's note-taking platform with AI assistants. From 1.4.0 to before 1.5.0, hackmd-mcp contains a server-side request forgery (SSRF) vulnerability when the server is run in HTTP transport mod... Read more
Affected Products :- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Server-Side Request Forgery
-
5.0
MEDIUMCVE-2025-59397
Open Web Analytics (OWA) before 1.8.1 allows SQL injection.... Read more
Affected Products : open_web_analytics- Published: Sep. 15, 2025
- Modified: Sep. 16, 2025
- Vuln Type: Injection