The CVE-2025-21994 vulnerability is a flaw in the Linux kernel's ksmbd module, specifically in the validation of the num_aces field of smb_acl. This flaw allows for incorrect validation of the number of Access Control Entries (ACEs) in a request buffer, potentially leading to the creation of an excessively large array.
This vulnerability is a problem because it can be exploited to cause a denial-of-service (DoS) or potentially even execute arbitrary code, by allowing an attacker to craft a malicious request that exceeds the expected buffer size, leading to a crash or unauthorized access.
This vulnerability allows an attacker to send a specially crafted network packet to the HTTP server in STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0, triggering an integer underflow that can cause a denial of service.
This vulnerability is a problem because it can be exploited by an attacker to disrupt the functionality of the HTTP server, making it unavailable to legitimate users and potentially causing significant disruptions to the system or service that relies on it.
This vulnerability allows an attacker to send a specially crafted network packet to the HTTP server in STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0, causing an integer underflow that can lead to a denial of service.
This vulnerability is a problem because it can be exploited by an attacker to disrupt the service, making it unavailable to users, which can lead to downtime and potential data loss.
This vulnerability allows an attacker to send a specially crafted series of network requests to the HTTP server in STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0, triggering an integer underflow that can lead to a denial of service.
This vulnerability is a problem because it enables an attacker to disrupt the normal functioning of the HTTP server, potentially causing it to become unresponsive or crash, which can lead to downtime and loss of service.
This vulnerability allows an attacker to send a series of specially crafted network requests to the HTTP server in STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0, causing an integer underflow that can lead to a denial of service.
This vulnerability is a problem because it can be exploited by an attacker to crash the HTTP server, making it unavailable and disrupting the normal functioning of the system, which can have significant consequences for applications that rely on it.
This vulnerability allows an attacker to send a specially crafted network packet to the NetX Component HTTP server in STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0, which can cause a denial of service, disrupting the server's functionality.
This vulnerability is a problem because it enables an attacker to intentionally crash or disable the HTTP server, potentially causing service outages, disrupting business operations, and leading to financial losses or reputational damage.
This vulnerability allows an attacker to send a specially crafted network packet to the NetX Component HTTP server in STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0, causing a denial of service.
This vulnerability is a problem because it can be exploited by an attacker to disrupt the normal functioning of the HTTP server, making it unavailable to legitimate users and potentially causing significant disruptions to the system or network.
This vulnerability allows an attacker to overflow a buffer in the FileX Internal RAM interface of STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0 by sending a specially crafted set of network packets, potentially leading to code execution.
This vulnerability is a problem because it enables an attacker to execute arbitrary code, giving them control over the affected system, which can lead to data theft, system compromise, or other malicious activities.
The CVE-2025-30090 vulnerability allows an attacker to inject malicious JavaScript code into email headers in SquirrelMail versions 1.4.23-svn-20250401 and 1.5.2-svn-20250401, potentially leading to cross-site scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to execute malicious scripts on a user's browser, potentially stealing sensitive information, taking control of the user's session, or performing other malicious actions, all by simply sending a crafted email to a vulnerable SquirrelMail server.
This vulnerability allows an attacker to slow down or crash Django applications, specifically the login, logout, and language-setting views, by sending inputs with a large number of Unicode characters, exploiting the slow NFKC normalization on Windows.
This vulnerability is a problem because it enables a potential denial-of-service (DoS) attack, which can make the application unavailable to legitimate users, causing disruption and potentially leading to further security issues or financial losses.
The CVE-2025-21993 vulnerability occurs in the Linux kernel when performing an iSCSI boot using IPv6, where the system still attempts to read the subnet mask entry, which is not applicable to IPv6, causing a shift-out-of-bounds warning.
This vulnerability is a problem because it triggers a UBSAN warning, which can indicate a potential issue with the system's memory safety, even though the warning is suppressed by setting the subnet mask value to ~0. This could lead to unexpected system behavior or errors.
The CVE-2025-21992 vulnerability affects the Linux kernel, where the HP 5MP Camera reports a non-functional sensor interface, causing system hangs when attempting to access it.
This vulnerability is a problem because it can cause system crashes and unresponsiveness when the non-functional sensor is accessed, potentially leading to downtime and disruption of critical services.
The CVE-2025-21991 vulnerability is an out-of-bounds error in the Linux kernel that occurs when loading microcode updates on AMD systems with CPU-less NUMA nodes, potentially corrupting memory.
This vulnerability is a problem because it can cause reliability issues by corrupting memory while flashing a microcode update, although it does not have any security implications as flashing microcode is a privileged operation.
This vulnerability in the Linux kernel occurs when the drm/amdgpu component fails to check if a buffer object (BO) has a backing store before attempting to access it, potentially leading to a null pointer dereference.
This vulnerability is a problem because it can cause the system to crash or become unstable when the Linux kernel tries to access a non-existent backing store, potentially leading to a denial-of-service (DoS) condition.
The CVE-2025-21989 vulnerability is a NULL pointer dereference issue in the Linux kernel's AMDGPU driver, specifically affecting older GPUs like the R9 280X, which occurs when the driver is loaded with a certain configuration due to a missing function called .is_two_pixels_per_container.
This vulnerability is a problem because it can cause system crashes or instability on affected PCs, potentially leading to data loss or disruption of critical services, especially when using older GPUs with the AMDGPU driver.
The CVE-2025-21988 vulnerability is a bug in the Linux kernel that occurs when multiple subrequests donate data to the same request, causing the `prev_donated` field to be overwritten, leading to data corruption and a system crash.
This vulnerability is a problem because it can cause the system to crash and lead to data corruption, resulting in potential data loss and system instability, which can have significant consequences for users and organizations relying on the affected Linux kernel.
The CVE-2025-21987 vulnerability is related to the Linux kernel, specifically in the amdgpu driver, where an uninitialized value can be returned if a certain condition is met, potentially causing unpredictable behavior.
This vulnerability is a problem because it can lead to instability and potential crashes in systems using the affected Linux kernel and amdgpu driver, as the uninitialized value can cause unexpected errors and disrupt normal system operation.
The Crypt::Salt module for Perl, version 0.01, uses the insecure rand() function to generate salts for cryptographic purposes, which can lead to predictable and weak salts.
This vulnerability is a problem because using an insecure rand() function can compromise the security of cryptographic operations, making it easier for attackers to guess or brute-force the salts, potentially leading to unauthorized access or data breaches.
The Tempo Operator has a flaw that allows a user with specific permissions to access and read the token of the Tempo service account, granting them access to all cluster metrics when the Jaeger UI Monitor Tab functionality is enabled.
This vulnerability is a problem because it allows unauthorized users to gain access to sensitive cluster metrics, potentially compromising the security and privacy of the system, if they have 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace.
The Tempo Operator flaw allows a user with full access to their namespace to extract a ServiceAccount token and use it to submit requests that can reveal information about other users' permissions.
This vulnerability is a problem because it exposes sensitive information about other users' permissions, which could be used to gather information and aid in planning further attacks, even though it does not allow direct privilege escalation or impersonation.
The Advanced Search by My Solr Server plugin for WordPress has a vulnerability that allows attackers to trick site administrators into performing unintended actions, such as updating settings or injecting malicious scripts, by sending forged requests.
This vulnerability is a problem because it enables unauthenticated attackers to manipulate the plugin's settings and potentially inject malicious code, which could lead to security breaches, data theft, or other malicious activities, all without needing direct access to the site.
The Video Url plugin for WordPress has a vulnerability that allows attackers to inject arbitrary web scripts into pages via the 'id' parameter, due to insufficient input sanitization and output escaping, which can be triggered by tricking a user into clicking on a malicious link.
This vulnerability is a problem because it enables unauthenticated attackers to execute malicious scripts on a user's browser, potentially leading to unauthorized access, data theft, or other malicious activities, without requiring the attacker to have any credentials or direct access to the website.
The wp Time Machine plugin for WordPress has a vulnerability that allows attackers to trick site administrators into performing unintended actions, such as updating settings or injecting malicious scripts, by sending forged requests.
This vulnerability is a problem because it enables unauthenticated attackers to manipulate the site's settings and potentially inject malicious code, which could lead to security breaches, data theft, or other malicious activities, all without needing to authenticate themselves.
The Shopper Approved Reviews plugin for WordPress has a vulnerability that allows authenticated attackers with Subscriber-level access or higher to modify data and update arbitrary options on the site, potentially leading to privilege escalation.
This vulnerability is a problem because it enables attackers to gain administrative access to a vulnerable site by updating the default role for registration to administrator and enabling user registration, which can lead to unauthorized control and potential data breaches.
The Smart Icons For WordPress plugin has a vulnerability that allows attackers with Editor-level access or higher to upload malicious SVG files, which can inject arbitrary web scripts into pages, executing them when a user accesses the file.
This vulnerability is a problem because it enables authenticated attackers to inject malicious scripts, potentially leading to unauthorized access, data theft, or other harmful activities, affecting users who access the compromised pages.
The Gift Certificate Creator plugin for WordPress has a vulnerability that allows attackers to inject arbitrary web scripts into pages through a parameter called 'receip_address' due to insufficient input sanitization and output escaping, making it possible to execute malicious scripts when a user clicks on a link.
This vulnerability is a problem because it enables unauthenticated attackers to trick users into executing malicious scripts, potentially leading to unauthorized access, data theft, or other malicious activities on the affected WordPress site.
The Front End Users plugin for WordPress allows attackers to upload any type of file to a website's server without proper validation, due to a vulnerability in the registration form's file uploads field.
This vulnerability is a problem because it enables unauthenticated attackers to upload malicious files, potentially leading to remote code execution, which could give them full control over the affected website.
The Demo Awesome plugin for WordPress has a vulnerability that allows authenticated attackers with Subscriber-level access or higher to install and activate any plugin they want, due to a missing capability check in the install_plugin function.
This vulnerability is a problem because it gives low-level users the ability to install malicious plugins, which can lead to a range of issues including data theft, website defacement, and unauthorized access to sensitive information.
The Front End Users plugin for WordPress has a vulnerability that allows attackers to inject malicious SQL code into the database via the 'UserSearchField' parameter, potentially extracting sensitive information.
This vulnerability is a problem because it enables unauthenticated attackers to access and extract sensitive data from the database, which could lead to data breaches, identity theft, and other security issues.
This vulnerability allows a local or remote user to create and execute arbitrary Python code by exploiting a YAML deserialization flaw in the Robot Operating System (ROS) 'dynparam' tool, which affects ROS distributions Noetic and earlier.
This vulnerability is a problem because it enables an attacker to craft and execute malicious Python code, potentially leading to unauthorized access, data breaches, or disruption of system operations, posing a significant threat to the security and integrity of ROS-based systems.
This vulnerability allows an attacker to escalate their privileges on Fortinet FortiSIEM systems by uploading specific GUI elements, which can then be used to access restricted areas of the system due to a relative path traversal flaw.
This is a significant issue because it enables attackers to gain elevated access to the system, potentially leading to unauthorized data access, modification, or deletion, as well as disruption of system operations, which can have severe consequences given the system's role in security monitoring and incident response.
This vulnerability allows an attacker with console access to inject and execute system commands on Moxa products using tcpdump, due to improper input validation.
This vulnerability is a problem because it can lead to privilege escalation, giving the attacker root shell access and persistent control over the device, potentially disrupting network services and affecting the availability of connected systems.
This vulnerability allows a remote attacker with web administrator privileges to execute arbitrary system commands through the NTP settings on a device, potentially causing it to enter an infinite reboot loop.
This vulnerability is a problem because it can lead to a denial of connectivity for downstream systems that rely on the device's network services, resulting in a loss of access to critical resources and potentially disrupting business operations.
The CVE-2024-45700 vulnerability allows an attacker to send specially crafted requests to a Zabbix server, causing it to allocate excessive memory and perform CPU-intensive operations, ultimately leading to a service crash.
This vulnerability is a problem because it enables an attacker to launch a Denial of Service (DoS) attack, which can render the Zabbix server unavailable, disrupting monitoring and alerting capabilities, and potentially causing significant operational impacts.
This vulnerability allows an attacker to inject malicious JavaScript code into a website through the "backurl" parameter in the /zabbix.php?action=export.valuemaps endpoint, which can then be executed in a victim's browser.
This is a problem because it enables attackers to perform Cross-Site Scripting (XSS) attacks, potentially stealing sensitive information, taking control of user sessions, or performing other malicious actions on the victim's browser.
The Zabbix API's user.get function returns information about all users who share a common group with the user making the request, including sensitive details like media information and login attempt history.
This vulnerability is a problem because it allows a user to access sensitive information about other users in the same group, potentially revealing confidential data and compromising user privacy.
This vulnerability causes the system to take a different amount of time to respond when an incorrect login attempt is made with a non-existent username compared to an existing one.
This difference in response time can be used by attackers to determine whether a particular username is valid or not, potentially allowing them to identify and target specific user accounts.
This vulnerability allows a low-privilege Zabbix user with API access to inject and execute arbitrary SQL commands by exploiting a weakness in the groupBy parameter of the CApiService.php file.
This vulnerability is a problem because it enables an attacker with limited access to potentially extract, modify, or delete sensitive data from the database, compromising the security and integrity of the system.
The AssetView and AssetView CLOUD systems have a vulnerability that allows sensitive information to be accessed from the data sent to the developer, potentially exposing it to remote unauthenticated attackers.
This vulnerability is a problem because it could allow unauthorized individuals to obtain sensitive information without needing any authentication, which could lead to data breaches, identity theft, or other malicious activities.
This vulnerability allows a remote attacker to access and manipulate files on a server without needing to authenticate, due to a lack of proper authentication for a critical function in AssetView and AssetView CLOUD.
This vulnerability is a problem because it enables unauthorized access to sensitive files, potentially leading to data breaches, theft, or destruction of critical information, which can have severe consequences for individuals and organizations.
The Insert Headers and Footers Code – HT Script plugin for WordPress has a vulnerability that allows authenticated attackers with Subscriber-level access or higher to modify data on the site by exploiting a missing capability check in the ajax_dismiss function, potentially updating option values and creating errors or enabling unauthorized features.
This vulnerability is a problem because it can be used to disrupt the normal functioning of a WordPress site, denying access to legitimate users or enabling features that should be restricted, such as registration, which can lead to security breaches and unauthorized access.
This vulnerability allows a remote attacker to trick users into performing unintended actions by creating a fake user interface within Google Chrome, using a specially crafted HTML page.
This vulnerability is a problem because it can be used to deceive users into revealing sensitive information, downloading malware, or performing other malicious actions, potentially leading to security breaches or financial losses.
This vulnerability allows a remote attacker to perform UI spoofing on Google Chrome versions prior to 135.0.7049.52 by tricking a user into interacting with a specially crafted HTML page, exploiting an inappropriate implementation in the Autofill feature.
This vulnerability is a problem because it enables attackers to deceive users into performing unintended actions, potentially leading to security breaches, data theft, or other malicious activities, by masquerading as legitimate user interface elements.
This vulnerability allows a remote attacker to perform UI spoofing on Google Chrome versions prior to 135.0.7049.52 by convincing a user to interact with a specifically crafted HTML page in a certain way, exploiting the Custom Tabs feature.
This vulnerability is a problem because it enables attackers to deceive users into performing unintended actions or revealing sensitive information by manipulating the user interface, potentially leading to phishing attacks, data theft, or other malicious activities.
This vulnerability allows a remote attacker to bypass the same origin policy in Google Chrome, prior to version 135.0.7049.52, by tricking a user into performing specific actions on a crafted HTML page.
This vulnerability is a problem because it enables an attacker to access and manipulate data from other websites or domains, potentially leading to unauthorized access, data theft, or other malicious activities, all while bypassing the security measures put in place to prevent such actions.
This vulnerability allows a remote attacker to perform privilege escalation on Google Chrome browsers prior to version 135.0.7049.52 by using a crafted HTML page, due to insufficient validation of untrusted input in Extensions.
This vulnerability is a problem because it enables attackers to gain higher privileges on a user's system, potentially allowing them to access sensitive information, install malware, or take control of the system.
This vulnerability allows a remote attacker to perform privilege escalation on Google Chrome versions prior to 135.0.7049.52 by using a crafted HTML page, taking advantage of an inappropriate implementation in Extensions.
This vulnerability is a problem because it enables an attacker to gain higher privileges on a user's system, potentially allowing them to access sensitive information, install malware, or take control of the system.
This vulnerability allows a remote attacker to escalate their privileges on a Google Chrome browser for Android by using a specially crafted HTML page, due to an inappropriate implementation of Intents.
This vulnerability is a problem because it enables an attacker to gain higher-level access to a user's browser, potentially allowing them to steal sensitive information, install malware, or perform other malicious actions.
This vulnerability allows a remote attacker to perform privilege escalation on a user's Android device by convincing the user to interact with a specially crafted app in Google Chrome's Custom Tabs, prior to version 135.0.7049.52.
This vulnerability is a problem because it enables an attacker to gain elevated privileges on a user's device, potentially allowing them to access sensitive information, install malware, or take control of the device.
This vulnerability allows a remote attacker to potentially exploit heap corruption in Google Chrome by using a crafted HTML page, taking advantage of a "use after free" issue in the browser's navigation functionality.
This vulnerability is a problem because it could enable an attacker to execute arbitrary code, leading to a range of potential consequences including data theft, malware installation, and unauthorized system access, all of which can compromise user security and privacy.
The Dell Wyse Management Suite, in versions prior to 5.1, has a vulnerability that allows inherited permissions to be insecurely set, potentially granting unauthorized access to a low-privileged attacker with local access.
This vulnerability is a problem because it could allow an attacker with limited access to gain higher levels of access and control, potentially leading to unauthorized data access, modification, or other malicious activities.
The Dell Wyse Management Suite, versions prior to 5.1, has a vulnerability that allows an unauthenticated attacker with remote access to potentially expose sensitive information through data queries, leading to information disclosure.
This vulnerability is a problem because it could allow an attacker to gain access to sensitive information without needing any authentication, potentially compromising the security and confidentiality of the data stored on the affected system.
The Dell Wyse Management Suite, versions prior to 5.1, has a vulnerability that allows an unauthenticated attacker with remote access to potentially cause a denial of service, making the system unavailable.
This vulnerability is a problem because it could be exploited by an attacker to disrupt the normal functioning of the system, leading to downtime and potential loss of productivity or sensitive data.
The Dell Wyse Management Suite, versions prior to 5.1, has a vulnerability that allows an attacker to inject malicious scripts into web pages, potentially giving them control over the system.
This vulnerability is a problem because it could allow a high-privileged attacker with remote access to inject scripts, potentially leading to unauthorized access, data theft, or system compromise, which could have serious consequences for the security and integrity of the system.
The Dell Wyse Management Suite, versions prior to WMS 5.1, allows an attacker to upload files of any type without restriction, potentially leading to denial of service, information disclosure, and remote execution.
This vulnerability is a problem because it enables a high-privileged attacker with remote access to exploit the system, causing service disruptions, leaking sensitive information, and potentially taking control of the system remotely.
The Go-Guerrilla SMTP Daemon vulnerability allows an attacker to send multiple PROXY commands, overriding earlier ones, and spoof their IP address when the ProxyOn feature is enabled.
This vulnerability is a problem because it enables attackers to disguise their true IP address, making it difficult to track and block malicious activity, and potentially leading to unauthorized access or attacks on the server.
The CVE-2025-30356 vulnerability allows an attacker to craft malicious frames that can cause a heap buffer overflow in the CryptoLib software, which is used to secure communications between spacecraft and ground stations. This occurs due to an incomplete validation check on the frame length field, leading to unsafe calculations and a potential overflow in a memcpy call.
This vulnerability is a problem because it can be exploited by an attacker to potentially gain control over the spacecraft's systems or disrupt communications between the spacecraft and the ground station, which could have serious consequences for space missions.
This vulnerability allows a remote attacker to access sensitive information by uploading a specially crafted file to the ONLYOFFICE Document Server, potentially bypassing the server's directory restrictions.
This vulnerability is a problem because it enables unauthorized access to sensitive information, which could lead to data breaches, intellectual property theft, or other malicious activities, compromising the security and confidentiality of the affected system.
The CVE-2025-31889 vulnerability allows an attacker to inject malicious code into web pages generated by the Extensions for Elementor plugin, due to improper neutralization of user input, leading to cross-site scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to steal user data, take control of user sessions, or perform unauthorized actions on behalf of the user, potentially leading to sensitive information disclosure, financial loss, or reputational damage.
The CVE-2025-31819 vulnerability allows an attacker to inject malicious code into a website using the Nova Blocks plugin by Pixelgrade, potentially leading to cross-site scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to execute malicious scripts on a user's browser, which can lead to unauthorized access, data theft, or other malicious activities, compromising the security and integrity of the website and its users.
The CVE-2025-31753 vulnerability allows an attacker to trick a user into performing unintended actions on a website using the Advanced Speed Increaser plugin, version 2.2.1 or earlier, by exploiting a Cross-Site Request Forgery (CSRF) weakness.
This vulnerability is a problem because it enables attackers to manipulate user interactions, potentially leading to unauthorized changes, data breaches, or other malicious activities, which can compromise the security and integrity of the affected system.
The CVE-2025-31628 vulnerability allows unauthorized access to Sliced Invoices due to a missing authorization mechanism, affecting versions from unknown to 3.9.4.
This vulnerability is a problem because it enables unauthorized users to potentially access, modify, or exploit sensitive invoice data, which could lead to financial losses, data breaches, or other malicious activities.
The CVE-2025-31619 vulnerability allows an attacker to inject malicious SQL code into the Actionwear products sync database, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it could lead to unauthorized data access, modification, or deletion, compromising the confidentiality, integrity, and availability of the data stored in the database, which could have serious consequences for the affected organization.
The CVE-2025-31612 vulnerability allows an attacker to inject malicious objects into the CBX Poll system by exploiting a deserialization of untrusted data flaw, potentially leading to unauthorized access and control.
This vulnerability is a significant problem because it enables attackers to execute arbitrary code, compromise sensitive data, and disrupt the system's functionality, posing a substantial risk to the security and integrity of the CBX Poll application.
The CVE-2025-31594 vulnerability allows an attacker to inject malicious code into a website using the WPglob Auto scroll for reading plugin, enabling Reflected Cross-site Scripting (XSS) attacks.
This vulnerability is a problem because it can lead to the theft of user data, session hijacking, and other malicious activities by allowing attackers to execute arbitrary code on a user's browser.
The CVE-2025-31580 vulnerability allows unauthorized access to certain functionalities in the Ni WooCommerce Product Enquiry plugin due to missing authorization checks, affecting versions up to 4.1.8.
This vulnerability is a problem because it enables unauthorized users to access and potentially exploit restricted features, which could lead to data breaches, malicious activities, or other security threats, ultimately compromising the security and integrity of the affected system.
The CVE-2025-31579 vulnerability allows an attacker to inject malicious SQL code into a database using the WP AutoKeyword plugin, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can lead to unauthorized data access, modification, or deletion, compromising the security and integrity of the affected database and potentially allowing attackers to gain control of the entire system.
The CVE-2025-31578 vulnerability allows an attacker to inject malicious code into a web page using a technique called Cross-site Scripting (XSS), specifically Reflected XSS, in the Fonts Manager | Custom Fonts application.
This vulnerability is a problem because it enables attackers to execute malicious scripts on a user's browser, potentially leading to unauthorized access, data theft, or other malicious activities, which can compromise the security and integrity of the application and its users.
The CVE-2025-31571 vulnerability allows an attacker to inject malicious code into a web page using a technique called Reflected Cross-site Scripting (XSS) in The Logo Slider plugin, versions up to 1.0.0.
This vulnerability is a problem because it enables attackers to trick users into executing malicious scripts, potentially leading to unauthorized access, data theft, or other malicious activities when they visit the compromised web page.
The CVE-2025-31568 vulnerability allows an attacker to inject malicious code into a web page, enabling Reflected Cross-site Scripting (XSS) attacks, which can be executed when a user visits a compromised webpage.
This vulnerability is a problem because it can lead to unauthorized access to user data, session hijacking, and other malicious activities, potentially compromising the security and privacy of users interacting with the affected LeadLab by wiredminds system.
The CVE-2025-31564 vulnerability allows an attacker to inject malicious SQL code into the Ai Auto Tool Content Writing Assistant, enabling them to extract or modify sensitive data without being detected.
This vulnerability is a problem because it can lead to unauthorized access to sensitive information, data tampering, and potentially even complete control of the affected system, compromising the security and integrity of the data stored within.
The CVE-2025-31563 vulnerability allows an attacker to inject malicious code into the Vimal Kava AI Search Bar, which can lead to Stored Cross-site Scripting (XSS) attacks. This means that an attacker can store malicious scripts on the website, which can then be executed by other users who visit the site.
This vulnerability is a problem because it can allow attackers to steal user data, take control of user accounts, or perform other malicious actions on behalf of the user. The fact that it is a Stored XSS vulnerability makes it particularly dangerous, as the malicious script can be stored on the website and executed multiple times, affecting multiple users.
The CVE-2025-31561 vulnerability allows an attacker to inject malicious SQL code into the Ultimate Push Notifications system, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it could allow an attacker to extract, modify, or delete sensitive data, leading to a significant security breach and potentially compromising user information.
The CVE-2025-31560 vulnerability allows an attacker to escalate their privileges in the Dimitri Grassi Salon booking system due to an incorrect assignment of privileges, potentially giving them unauthorized access to sensitive features and data.
This vulnerability is a problem because it enables attackers to gain higher levels of access than they should have, which can lead to unauthorized modifications, data breaches, or disruption of the salon's operations, ultimately compromising the security and integrity of the system.
The CVE-2025-31553 vulnerability allows an attacker to inject malicious SQL code into the WPFactory Advanced WooCommerce Product Sales Reporting plugin, potentially giving them access to sensitive database information.
This vulnerability is a problem because it can lead to unauthorized access to sensitive data, including customer information and sales records, which can result in data theft, financial loss, and damage to the reputation of the affected business.
The CVE-2025-31552 vulnerability allows an attacker to inject malicious SQL code into the RSVPMarker application, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can lead to unauthorized data access, modification, or deletion, and potentially even allow attackers to take control of the entire system, resulting in significant security breaches and data losses.
This vulnerability allows an attacker to inject malicious SQL code into the Salesmate Add-On for Gravity Forms, potentially giving them access to sensitive data and control over the database.
This vulnerability is a problem because it can lead to unauthorized data access, modification, or deletion, and can also be used to gain control over the entire system, resulting in a significant security breach.
This vulnerability allows sensitive information to be inserted into files or directories that can be accessed from outside, specifically in the thom4 WP-LESS plugin, enabling the retrieval of embedded sensitive data.
This is a problem because it exposes sensitive information to unauthorized access, potentially leading to data breaches, security compromises, and other malicious activities, affecting WP-LESS versions from 1.9.3 through 3.
The CVE-2025-31548 vulnerability allows an attacker to inject malicious code into a website using the Ultimate Push Notifications plugin, version 1.1.8 or earlier, which can lead to Reflected Cross-site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to steal user data, take control of user sessions, or perform other malicious actions on the affected website, potentially compromising the security and privacy of users who interact with the site.
The CVE-2025-31537 vulnerability allows an attacker to inject malicious code into a website using the Bulk NoIndex & NoFollow Toolkit, potentially stealing user data or taking control of user sessions through Reflected Cross-site Scripting (XSS).
This vulnerability is a problem because it enables attackers to trick users into performing unintended actions or disclosing sensitive information, which can lead to security breaches, data theft, and other malicious activities, ultimately compromising the security and trust of the affected website.
This vulnerability allows an attacker to inject malicious SQL code into the Shopper application, potentially giving them unauthorized access to sensitive data and control over the database.
This vulnerability is a problem because it can lead to unauthorized data access, modification, or deletion, and can also be used to gain control over the entire system, resulting in a significant security breach.
This vulnerability allows an attacker to inject malicious SQL code into the click5 History Log database, potentially giving them unauthorized access to sensitive data.
This SQL Injection vulnerability is a significant issue because it can lead to the theft or modification of sensitive data, disruption of database operations, and potentially even allow attackers to gain control of the entire system, resulting in severe security breaches.
The CVE-2025-31525 vulnerability allows unauthorized access to certain features in the WP Mobile Bottom Menu plugin due to missing authorization checks, potentially enabling exploitation of incorrectly configured security levels.
This vulnerability is a problem because it could allow unauthorized users to access sensitive areas of a website or perform actions that they should not be able to, potentially leading to data breaches, malicious activity, or other security issues.
The CVE-2025-31462 vulnerability allows an attacker to inject malicious code into a web page through the CGM Event Calendar, enabling Reflected Cross-Site Scripting (XSS) attacks. This means an attacker can trick a user into clicking a link or visiting a webpage that executes the malicious code, potentially stealing user data or taking control of the user's session.
This vulnerability is a problem because it can be used by attackers to steal sensitive user information, such as login credentials or personal data, or to take control of a user's account. It can also be used to spread malware or conduct phishing attacks, making it a significant threat to users of the CGM Event Calendar.
The CVE-2025-31461 vulnerability allows an attacker to inject malicious code into a web page, using a technique known as Reflected Cross-site Scripting (XSS), due to improper handling of user input in the NanoSupport application.
This vulnerability is a problem because it enables attackers to trick users into executing malicious scripts, potentially leading to unauthorized access, data theft, or other malicious activities, which can compromise the security and integrity of the affected system.
This vulnerability allows an attacker to inject malicious code into a web page, taking advantage of a flaw in the Limit Max IPs Per User feature, which can lead to a type of attack known as Cross-site Scripting (XSS) that affects the web page's Document Object Model (DOM).
This vulnerability is a problem because it enables attackers to execute malicious scripts on a user's browser, potentially allowing them to steal sensitive information, hijack user sessions, or perform other malicious actions, which can compromise the security and privacy of users interacting with the affected web page.
This vulnerability allows an attacker to inject malicious code into a web page, known as Cross-site Scripting (XSS), when using the Delete Post Revision feature. This can happen when user input is not properly neutralized, enabling the attacker to reflect their malicious code back to the user's browser.
This vulnerability is a problem because it can lead to unauthorized access to sensitive user data, session hijacking, and other malicious activities. An attacker can use this vulnerability to trick users into performing unintended actions, stealing their login credentials, or taking control of their accounts.
The CVE-2025-31446 vulnerability allows an attacker to inject malicious code into a website using the jiangmiao WP Cleaner plugin, version 1.1.5 or earlier, through a reflected Cross-site Scripting (XSS) attack.
This vulnerability is a problem because it enables attackers to execute malicious scripts on a user's browser, potentially leading to unauthorized access, data theft, or other malicious activities, which can compromise the security and integrity of the affected website and its users.
This vulnerability allows an attacker to inject malicious code into a website, using a technique called Reflected Cross-site Scripting (XSS), by exploiting improper input handling in the NotFound Pages Order feature.
This vulnerability is a problem because it enables attackers to trick users into executing malicious scripts, potentially leading to unauthorized access, data theft, or other malicious activities, which can compromise the security and integrity of the affected website and its users.
The CVE-2025-31441 vulnerability allows an attacker to inject malicious code into a WordPress website using the Galleria plugin, which can lead to Reflected Cross-Site Scripting (XSS) attacks. This means an attacker can trick a user into clicking a link or visiting a webpage that executes the malicious code, potentially stealing user data or taking control of the user's session.
This vulnerability is a problem because it enables attackers to compromise user accounts, steal sensitive information, or perform unauthorized actions on the affected website. The severity score of 7.1 indicates that this is a high-impact vulnerability that can cause significant harm if exploited.
The CVE-2025-31431 vulnerability allows an attacker to inject malicious code into a website using the NotFound WP Bookmarks plugin, which can lead to Reflected Cross-Site Scripting (XSS) attacks. This means an attacker can trick a user into clicking a link that executes malicious code on the website.
This vulnerability is a problem because it can be used by attackers to steal user data, take control of user sessions, or perform other malicious actions on the affected website. The severity score of 7.1 indicates that this is a significant vulnerability that should be addressed promptly.
The CVE-2025-31097 vulnerability allows an attacker to include and execute local files on a server running the Material Dashboard, by exploiting improper control of filenames in PHP include/require statements.
This vulnerability is a problem because it enables attackers to access and execute sensitive files on the server, potentially leading to unauthorized data access, code execution, and system compromise, which can have severe security consequences.
The CVE-2025-31089 vulnerability allows an attacker to inject malicious SQL code into the Order Splitter for WooCommerce plugin, potentially giving them access to sensitive database information.
This vulnerability is a problem because it can be exploited by attackers to extract, modify, or delete sensitive data, including customer information and order details, which can lead to serious security breaches and financial losses.
The CVE-2025-31086 vulnerability allows an attacker to inject malicious code into a website using the Product Table by WBW plugin, versions 2.1.4 and earlier, which can lead to Reflected Cross-site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to execute malicious scripts on a user's browser, potentially stealing sensitive information, hijacking user sessions, or taking control of the user's account, which can compromise the security and integrity of the website and its users.
The CVE-2025-31085 vulnerability allows an attacker to inject malicious code into a website using a technique called Reflected Cross-site Scripting (XSS), which occurs when user input is not properly neutralized during web page generation in the xili-language plugin.
This vulnerability is a problem because it enables attackers to trick users into performing unintended actions, stealing sensitive information, or taking control of user accounts, which can lead to security breaches, data theft, and other malicious activities.
The CVE-2025-31082 vulnerability allows an attacker to include and execute local files on a server running the InfornWeb News & Blog Designer Pack, by exploiting improper control of filenames in PHP include/require statements.
This vulnerability is a problem because it enables an attacker to access and execute sensitive files on the server, potentially leading to unauthorized data access, code execution, and system compromise, which can result in significant security breaches and data losses.
This vulnerability allows an attacker to inject malicious code into a website using the ShortPixel Enable Media Replace plugin, which can lead to Reflected Cross-Site Scripting (XSS) attacks. This means an attacker can trick a user into clicking a link or visiting a webpage that executes the malicious code, potentially stealing sensitive information or taking control of the user's session.
This vulnerability is a problem because it can be used by attackers to steal user data, take control of user accounts, or spread malware. Since it's a Reflected XSS attack, the malicious code is reflected off the website, making it appear as though the website itself is compromised, which can lead to a loss of trust in the website and its owners.
The CVE-2025-31080 vulnerability allows an attacker to inject malicious code into web pages generated by Link Software LLC HTML Forms, enabling Stored Cross-site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to store and execute malicious scripts on the affected web application, potentially leading to unauthorized access, data theft, or other malicious activities.
The CVE-2025-31078 vulnerability allows an attacker to inject malicious code into a web page, enabling Reflected Cross-site Scripting (XSS) attacks, which can occur when using the enituretechnology Small Package Quotes – Worldwide Express Edition plugin, versions up to 5.2.18.
This vulnerability is a problem because it enables attackers to execute malicious scripts on a user's browser, potentially leading to unauthorized access, data theft, or other malicious activities, which can compromise the security and integrity of the affected system and its users.
The CVE-2025-30913 vulnerability allows an attacker to inject malicious code into a web page, known as Reflected Cross-site Scripting (XSS), by exploiting improper input neutralization in the podpirate Access Areas.
This vulnerability is a problem because it enables attackers to trick users into executing malicious scripts, potentially leading to unauthorized access, data theft, or other malicious activities, affecting users of Access Areas versions from n/a through 1.5.19.