Total
309430 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-48303 | 2025-08-25 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Kevin Langley Jr. Post Type Converter allows Cross-Site Request Forgery.This issue affects Post Type Converter: from n/a through 0.6. | |||||
| CVE-2025-9048 | 2025-08-25 | N/A | 8.1 HIGH | ||
| The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | |||||
| CVE-2025-9409 | 2025-08-25 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A security flaw has been discovered in lostvip-com ruoyi-go up to 2.1. Impacted is the function DownloadTmp/DownloadUpload of the file modules/system/controller/CommonController.go. Performing manipulation of the argument fileName results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-54300 | 2025-08-25 | N/A | N/A | ||
| A stored XSS vulnerability in Quantum Manager component 1.0.0-3.2.0 for Joomla was discovered. The SVG upload feature does not sanitize uploads. | |||||
| CVE-2025-5060 | 2025-08-25 | N/A | 8.1 HIGH | ||
| The Bravis User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.0. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email. | |||||
| CVE-2025-53120 | 2025-08-25 | N/A | 9.4 CRITICAL | ||
| A path traversal vulnerability in unauthenticated upload functionality allows a malicious actor to upload binaries and scripts to the server’s configuration and web root directories, achieving remote code execution on the Unified PAM server. | |||||
| CVE-2025-5352 | 2025-08-25 | N/A | 8.1 HIGH | ||
| A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users' browsers if an attacker can control the environment variable during deployment or through server compromise. The vulnerability can lead to complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is cleaned. The issue is fixed in version 1.9.25. | |||||
| CVE-2025-55574 | 2025-08-25 | N/A | 6.1 MEDIUM | ||
| Cross Site Scripting vulnerability in docmost v.0.21.0 and before allows an attacker to execute arbitrary code | |||||
| CVE-2025-5514 | 2025-08-25 | N/A | 5.3 MEDIUM | ||
| Improper Handling of Length Parameter Inconsistency vulnerability in web server function on Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to delay the processing of the web server function and prevent legitimate users from utilizing the web server function, by sending a specially crafted HTTP request. | |||||
| CVE-2025-9398 | 2025-08-25 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A security vulnerability has been detected in YiFang CMS up to 2.0.5. Affected by this vulnerability is the function exportInstallTable of the file app/utils/base/database/Migrate.php. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-51281 | 2025-08-25 | N/A | 7.0 HIGH | ||
| D-Link DI-8100 16.07.26A1 is vulnerable to Buffer Overflow via the en`, `val and id parameters in the qj_asp function. This vulnerability allows authenticated attackers to cause a Denial of Service (DoS) by sending crafted GET requests with overly long values for these parameters. | |||||
| CVE-2025-9384 | 2025-08-25 | 1.7 LOW | 3.3 LOW | ||
| A vulnerability was detected in appneta tcpreplay up to 4.5.1. Impacted is the function tcpedit_post_args of the file /src/tcpedit/parse_args.c. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. Upgrading to version 4.5.2-beta2 is recommended to address this issue. Upgrading the affected component is advised. The vendor explains, that he was "[a]ble to reproduce in 6fcbf03 but not in 4.5.2-beta2". | |||||
| CVE-2025-7842 | 2025-08-25 | N/A | 4.3 MEDIUM | ||
| The Silencesoft RSS Reader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.6. This is due to missing or incorrect nonce validation on the 'sil_rss_edit_page' page. This makes it possible for unauthenticated attackers to delete RSS feeds via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-29523 | 2025-08-25 | N/A | 7.2 HIGH | ||
| D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the ping6 function. | |||||
| CVE-2025-7827 | 2025-08-25 | N/A | 4.3 MEDIUM | ||
| The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings. | |||||
| CVE-2025-36174 | 2025-08-25 | N/A | 8.0 HIGH | ||
| IBM Integrated Analytics System 1.0.0.0 through 1.0.30.0 could allow an authenticated user to upload a file with dangerous types that could be executed by another user if opened. | |||||
| CVE-2025-9381 | 2025-08-25 | 0.8 LOW | 1.6 LOW | ||
| A security flaw has been discovered in FNKvision Y215 CCTV Camera 10.194.120.40. This affects an unknown part of the file /tmp/wpa_supplicant.conf. Performing manipulation results in information disclosure. The attack may be carried out on the physical device. The attack's complexity is rated as high. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-57802 | 2025-08-25 | N/A | N/A | ||
| Airlink's Daemon interfaces with Docker and the Panel to provide secure access for controlling instances via the Panel. In version 1.0.0, an attacker with access to the affected container can create symbolic links inside the mounted directory (/app/data). Because the container bind-mounts an arbitrary host path, these symlinks can point to sensitive locations on the host filesystem. When the application or other processes follow these symlinks, the attacker can gain unauthorized read access to host files outside the container. This issue has been patched in version 1.0.1. | |||||
| CVE-2025-8062 | 2025-08-25 | N/A | 6.4 MEDIUM | ||
| The WS Theme Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ws_weather shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-9410 | 2025-08-25 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A weakness has been identified in lostvip-com ruoyi-go up to 2.1. The affected element is the function SelectListByPage of the file modules/system/dao/GenTableDao.go. Executing manipulation of the argument isAsc/orderByColumn can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||