Latest CVE Feed
-
8.7
HIGHCVE-2025-8110
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Path Traversal
-
7.2
HIGHCVE-2025-64156
An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7, FortiVoice 6.4 all versions, FortiVoice 6.0 all versions may allow an authent... Read more
Affected Products : fortivoice- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Injection
-
7.1
HIGHCVE-2025-1161
Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege Escalation.This issue affects Nomysem: through May 2025.... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authorization
-
0.0
NACVE-2025-13184
Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on factory/reset X5000R V9.1.0u.6369_B20230113 (arbitrary command execution). Earlier versions that share the same implementation, ... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authentication
-
3.5
LOWCVE-2025-13127
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TAC Information Services Internal and External Trade Inc. GoldenHorn allows Cross-Site Scripting (XSS).This issue affects GoldenHorn: before 4.25.... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Cross-Site Scripting
-
5.7
MEDIUMCVE-2025-66550
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded with... Read more
- Published: Dec. 05, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Misconfiguration
-
7.8
HIGHCVE-2025-62221
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.... Read more
Affected Products : windows_server_2019 windows_10_1809 windows_10_21h2 windows_10_22h2 windows_server_2022 windows_11_23h2 windows_server_2022_23h2 windows_server_23h2 windows_11_24h2 windows_server_2025 +1 more products- Actively Exploited
- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
-
7.8
HIGHCVE-2025-48575
In multiple functions of CertInstaller.java, there is a possible way to install certificates due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for e... Read more
Affected Products : android- Published: Dec. 08, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authorization
-
7.8
HIGHCVE-2025-48573
In sendCommand of MediaSessionRecord.java, there is a possible way to launch the foreground service while the app is in the background due to FGS while-in-use abuse. This could lead to local escalation of privilege with no additional execution privileges ... Read more
Affected Products : android- Published: Dec. 08, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authentication
-
7.8
HIGHCVE-2025-22420
In multiple locations, there is a possible way to leak audio files across user profiles due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitat... Read more
Affected Products : android- Published: Dec. 08, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authorization
-
7.8
HIGHCVE-2025-48566
In multiple locations, there is a possible bypass of user profile boundary with a forwarded intent due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not n... Read more
Affected Products : android- Published: Dec. 08, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authorization
-
6.7
MEDIUMCVE-2025-22432
In notifyTimeout of CallRedirectionProcessor.java, there is a possible persistent connection due to improper input validation. This could lead to local escalation of privilege and background activity launches with User execution privileges needed. User in... Read more
Affected Products : android- Published: Dec. 08, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2024-2105
An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices.... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Denial of Service
-
8.8
HIGHCVE-2024-2104
Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable.... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Misconfiguration
-
4.3
MEDIUMCVE-2025-63013
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Retrieve Embedded Sensitive Data.This issue affects WP Hotel Booking: from n/a through <= 2.2.7.... Read more
Affected Products : wp_hotel_booking- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Information Disclosure
-
5.9
MEDIUMCVE-2025-63011
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS.This issue affects WP Hotel Booking: from n/a through <= 2.2.7.... Read more
Affected Products : wp_hotel_booking- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Cross-Site Scripting
-
4.8
MEDIUMCVE-2025-63010
Server-Side Request Forgery (SSRF) vulnerability in ThemesInflow Hercules Core hercules-core allows Server Side Request Forgery.This issue affects Hercules Core : from n/a through <= 7.4.... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Server-Side Request Forgery
-
5.3
MEDIUMCVE-2025-63009
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in yuvalo WP Google Analytics Events wp-google-analytics-events allows Retrieve Embedded Sensitive Data.This issue affects WP Google Analytics Events: from n/a throug... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Information Disclosure
-
8.3
HIGHCVE-2025-41358
Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in '/Crono... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authorization
-
9.3
CRITICALCVE-2025-13953
Bypass vulnerability in the authentication method in the GTT Tax Information System application, related to the Active Directory (LDAP) login method. Authentication is performed through a local WebSocket, but the web application does not properly validat... Read more
Affected Products :- Published: Dec. 10, 2025
- Modified: Dec. 10, 2025
- Vuln Type: Authentication