Latest CVE Feed
-
5.4
MEDIUMCVE-2025-12505
The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check functio... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Authorization
-
7.5
HIGHCVE-2025-65844
EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficie... Read more
Affected Products : evershop- Published: Dec. 02, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Authorization
-
7.2
HIGHCVE-2025-12510
The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 13.2.4 due to insufficient input sanitization and output escaping on Google Reviews data imported by the plugin. This ma... Read more
Affected Products : widgets_for_google_reviews- Published: Dec. 06, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-11263
The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenti... Read more
Affected Products :- Published: Dec. 06, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Cross-Site Scripting
-
6.7
MEDIUMCVE-2025-59820
In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Control flow proceeds even when a number of pixels becomes negative.... Read more
Affected Products :- Published: Nov. 26, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Memory Corruption
-
10.0
CRITICALCVE-2025-55182
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The... Read more
- Actively Exploited
- Published: Dec. 03, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Injection
-
7.5
HIGHCVE-2024-3884
A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will ... Read more
Affected Products : undertow- Published: Dec. 03, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Denial of Service
-
6.5
MEDIUMCVE-2025-13785
A security vulnerability has been detected in yungifez Skuul School Management System up to 2.6.5. This issue affects some unknown processing of the file /user/profile of the component Image Handler. Such manipulation leads to information disclosure. The ... Read more
Affected Products : skuul- Published: Nov. 30, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Information Disclosure
-
4.8
MEDIUMCVE-2025-13784
A weakness has been identified in yungifez Skuul School Management System up to 2.6.5. This vulnerability affects unknown code of the file /dashboard/schools/1/edit of the component SVG File Handler. This manipulation causes cross site scripting. The atta... Read more
Affected Products : skuul- Published: Nov. 30, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Cross-Site Scripting
-
8.7
HIGHCVE-2025-66031
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures ... Read more
Affected Products : forge- Published: Nov. 26, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Denial of Service
-
6.3
MEDIUMCVE-2025-66030
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing ... Read more
Affected Products : forge- Published: Nov. 26, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Misconfiguration
-
5.4
MEDIUMCVE-2025-63229
The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains a reflected Cross-Site Scripting (XSS) vulnerability in the /main0.php endpoint. By injecting a malicious JavaScript payload into the ?m= query parameter, an attacker c... Read more
- Published: Nov. 18, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Cross-Site Scripting
-
9.8
CRITICALCVE-2025-60854
A vulnerability has been found in D-Link R15 (AX1500) 1.20.01 and below. By manipulating the model name parameter during a password change request in the web administrator page, it is possible to trigger a command injection in httpd.... Read more
- Published: Dec. 02, 2025
- Modified: Dec. 06, 2025
- Vuln Type: Injection
-
7.0
HIGHCVE-2025-13492
A potential security vulnerability has been identified in HP Image Assistant for versions prior to 5.3.3. The vulnerability could potentially allow a local attacker to escalate privileges via a race condition when installing packages.... Read more
- Published: Dec. 03, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Race Condition
-
8.1
HIGHCVE-2025-12819
Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.... Read more
Affected Products : pgbouncer- Published: Dec. 03, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Injection
-
6.1
MEDIUMCVE-2025-41079
A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with PUT parámetro 'name' in '/api/v2.1/user/'.... Read more
Affected Products : seafile- Published: Dec. 04, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-41080
A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with POST parámetro 'p' in '/api/v2.1/repos/{repo_i... Read more
Affected Products : seafile- Published: Dec. 04, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Cross-Site Scripting
-
3.7
LOWCVE-2025-66629
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.4, some of HedgeDoc's OAuth2 endpoints for social login providers such as Google, GitHub, GitLab, Facebook or Dropbox lack CSRF protection, since they don't se... Read more
Affected Products : hedgedoc- Published: Dec. 05, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Cross-Site Request Forgery
-
9.4
CRITICALCVE-2025-34291
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cook... Read more
Affected Products : langflow- Published: Dec. 05, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Authentication
-
5.8
MEDIUMCVE-2025-14116
A vulnerability was detected in xerrors Yuxi-Know up to 0.4.0. This vulnerability affects the function OtherEmbedding.aencode of the file /src/models/embed.py. Performing manipulation of the argument health_url results in server-side request forgery. The ... Read more
Affected Products :- Published: Dec. 05, 2025
- Modified: Dec. 05, 2025
- Vuln Type: Server-Side Request Forgery