The "Create custom forms for WordPress with a smart form plugin for smart businesses" plugin has a vulnerability that allows unauthorized users to execute arbitrary shortcodes, which are small pieces of code that perform specific actions, due to a lack of proper validation.
This vulnerability is a problem because it enables attackers to execute malicious code on the WordPress site without needing authentication, potentially leading to data breaches, site takeovers, or other malicious activities.
The CVE-2025-46333 vulnerability allows for an out-of-bounds access on the x-axis when using the `z2d.compositor.StrideCompositor.run` function in the z2d graphics library, potentially causing an overflow in the stride length value, which can lead to invalid memory accesses or corruption.
This vulnerability is a problem because it can result in invalid memory accesses or corruption, particularly when compiling in non-safe optimization modes, which can compromise the integrity and stability of the system.
The CVE-2025-32986 vulnerability allows access to sensitive files in NETSCOUT nGeniusONE versions before 6.4.0 b2350 without requiring proper authentication, specifically at a certain endpoint.
This vulnerability is a problem because it enables unauthorized users to gain access to sensitive information, potentially leading to data breaches, confidentiality losses, and other security issues, as sensitive files are not adequately protected.
The NETSCOUT nGeniusONE system, version before 6.4.0 b2350, contains hardcoded credentials that are stored in JAR files, which can be accessed by unauthorized users.
This vulnerability is a problem because hardcoded credentials can be easily obtained by attackers, allowing them to gain unauthorized access to the system, potentially leading to data breaches, system compromise, and other malicious activities.
The CVE-2025-32984 vulnerability allows an attacker to inject malicious code into the NETSCOUT nGeniusONE system through a specific POST parameter, which can lead to Stored Cross-Site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to store malicious scripts on the system, which can then be executed by other users, potentially leading to unauthorized access, data theft, or other malicious activities.
The CVE-2025-32983 vulnerability in NETSCOUT nGeniusONE versions before 6.4.0 b2350 allows an attacker to access technical information through a stack trace, potentially revealing sensitive data about the system.
This vulnerability is a problem because it could allow attackers to gain valuable insights into the system's internal workings, which could be used to plan and execute further attacks, compromising the security and integrity of the system.
The CVE-2025-32982 vulnerability allows unauthorized access to the report module in NETSCOUT nGeniusONE versions before 6.4.0 b2350 due to a broken authorization schema.
This vulnerability is a problem because it enables attackers to access sensitive information and potentially modify or exploit the report module without proper authorization, which can lead to data breaches, system compromise, and other security threats.
The CVE-2025-32981 vulnerability allows local users to exploit insecure permissions on the nGeniusCLI file in NETSCOUT nGeniusONE versions before 6.4.0 b2350.
This vulnerability is a problem because it gives local users unauthorized access to sensitive files, potentially allowing them to modify or extract confidential data, disrupt system operations, or escalate their privileges.
The NETSCOUT nGeniusONE system, version before 6.4.0 b2350, has a weak configuration for the sudo command, which allows users to run commands with elevated privileges.
This vulnerability is a problem because it can allow unauthorized users to gain elevated access to the system, potentially leading to unauthorized changes, data breaches, or other malicious activities.
The CVE-2025-32979 vulnerability in NETSCOUT nGeniusONE before version 6.4.0 b2350 allows authenticated users to create arbitrary files on the system.
This vulnerability is a problem because it enables malicious actors with authenticated access to create files that could be used for malicious purposes, such as storing malware, creating backdoors, or overwriting critical system files, potentially leading to system compromise or disruption.
This vulnerability allows attackers to bypass the One-Time Password (OTP) verification process in Mytel Telecom's Online Account System by sending a specially crafted request, potentially granting unauthorized access to user accounts.
This vulnerability is a problem because it undermines the security measures put in place to protect user accounts, making it easier for attackers to gain unauthorized access and potentially leading to data breaches, identity theft, or other malicious activities.
The CVE-2025-3935 vulnerability allows attackers to inject malicious code into the ViewState of ScreenConnect versions 25.2.3 and earlier, potentially leading to remote code execution on the server if an attacker obtains privileged system level access and compromises the machine keys used to protect ViewState data.
This vulnerability is a problem because it could allow attackers to gain control of the server, potentially leading to unauthorized access, data theft, or other malicious activities, especially since it can be exploited to achieve remote code execution.
The HCL SX v21 system uses a weak cryptographic algorithm, allowing an attacker to potentially exploit this weakness and gain unauthorized access to sensitive information, modify data, or cause other negative impacts.
This vulnerability is a problem because it enables attackers to bypass security measures and compromise the confidentiality, integrity, and availability of sensitive data, which can lead to financial loss, reputational damage, and other severe consequences.
The Codeastro Bus Ticket Booking System v1.0 has a vulnerability that allows an attacker to inject malicious SQL code through the "kodetiket" parameter in the "/BusTicket-CI/tiket/cekorder" endpoint, potentially giving them unauthorized access to sensitive database information.
This vulnerability is a problem because it could allow attackers to extract, modify, or delete sensitive data, disrupt the system's functionality, or even gain control of the entire database, leading to serious security breaches and potential financial losses.
The Commvault Web Server has a vulnerability that allows a remote, authenticated attacker to create and execute webshells, potentially taking control of the web server.
This vulnerability is a problem because it enables attackers to compromise the web server, potentially leading to unauthorized access, data breaches, and other malicious activities, which can have severe consequences for the security and integrity of the system.
The CVE-2025-2070 vulnerability allows an attacker to read arbitrary files on a system by exploiting an improper XML parsing issue in the FileZ client, which can be triggered when a user visits a specially crafted URL.
This vulnerability is a problem because it enables unauthorized access to sensitive files on the system, potentially leading to data breaches, leaks of confidential information, or further exploitation of the system.
This vulnerability allows an attacker to execute malicious code on a user's system if the user visits a specially crafted URL using the FileZ client.
This is a problem because it enables attackers to run unauthorized code on a user's system, potentially leading to data theft, system compromise, or other malicious activities.
The CVE-2025-2068 vulnerability allows an attacker to create a crafted URL that, when visited by a local user, can redirect them to an unintended website, potentially leading to information disclosure through the FileZ client.
This vulnerability is a problem because it can be exploited by attackers to trick users into revealing sensitive information or to redirect them to malicious websites, which can lead to further attacks, such as phishing or malware installation.
The CVE-2024-56156 vulnerability allows attackers to bypass file type validation controls in the Halo website building tool, enabling them to upload malicious files such as executables and HTML files.
This vulnerability is a problem because it can lead to stored cross-site scripting attacks and potentially allow remote code execution, which can compromise the security of the website and its users.
No information is available for this CVE, as the original description was rejected and no details were provided.
The lack of information about this vulnerability makes it difficult to assess its potential impact, but in general, unknown vulnerabilities can be a problem because they can be exploited by attackers before a fix is available.
This vulnerability allows an attacker to inject malicious code into the Data Directory tab of JetBrains TeamCity, which can lead to a stored Cross-Site Scripting (XSS) attack, potentially executing unwanted actions on the system.
This vulnerability is a problem because it enables attackers to manipulate the system, steal sensitive information, or perform unauthorized actions, compromising the security and integrity of the data and systems managed by JetBrains TeamCity.
The CVE-2025-46433 vulnerability allows for improper path validation in the loggingPreset parameter in JetBrains TeamCity versions before 2025.03.1, potentially enabling unauthorized access to sensitive files or directories.
This vulnerability is a problem because it could allow attackers to manipulate the loggingPreset parameter to access or modify sensitive data, potentially leading to security breaches or disruptions in the development environment.
This vulnerability in JetBrains TeamCity allows base64-encoded credentials to be exposed in build logs, potentially revealing sensitive information.
This is a problem because exposed credentials can be used by unauthorized parties to gain access to sensitive systems, data, or applications, compromising security and potentially leading to further attacks or data breaches.
The CVE-2025-43862 vulnerability allows normal users to access and modify app orchestration in the Dify platform, even if they are not presented with the option to do so in the web UI, due to a flaw in access control.
This vulnerability is a problem because it enables non-admin users to make unauthorized changes to apps, potentially leading to security breaches, data tampering, or disruption of services, which can have serious consequences.
The CVE-2025-43016 vulnerability in JetBrains Rider before version 2025.1.2 allows an attacker to overwrite arbitrary files on a system during a remote debug session, using a custom archive unpacker.
This vulnerability is a problem because it enables an attacker to modify sensitive files on a system, potentially leading to data corruption, privilege escalation, or the execution of malicious code, which can compromise the security and integrity of the system.
This vulnerability in Moodle allows unauthorized users to access cohort data that they should not be able to retrieve, due to a lack of proper access checks.
This is a problem because it can lead to sensitive information being exposed to users who do not have the necessary permissions, potentially compromising user privacy and data security.
This vulnerability allows users to view other users' names and online statuses in Moodle due to insufficient capability checks in a messaging web service.
This vulnerability is a problem because it compromises user privacy by allowing unauthorized access to personal information, potentially leading to social engineering attacks or other malicious activities.
This vulnerability allows users to delete course sections in Moodle that they do not have permission to modify, due to a lack of proper checks.
This vulnerability is a problem because it can lead to unauthorized modifications of course content, potentially disrupting the learning environment and causing data loss or inconsistencies.
This vulnerability allows an attacker to inject malicious code into a Moodle webpage by manipulating the return URL in the policy tool, potentially leading to a Cross-site scripting (XSS) attack.
This vulnerability is a problem because it could enable an attacker to steal user data, take control of user sessions, or perform unauthorized actions on behalf of the user, compromising the security and integrity of the Moodle platform.
This vulnerability allows remote code execution in the Moodle LMS EQUELLA repository, which means an attacker could potentially execute malicious code on a Moodle site that has the EQUELLA repository enabled.
This is a problem because it gives attackers the ability to run arbitrary code on the site, potentially leading to data breaches, site takeovers, or other malicious activities, and it is particularly concerning since it affects teachers and managers who have elevated privileges.
This vulnerability allows for remote code execution in the Moodle Learning Management System (LMS) through the Dropbox repository, potentially enabling attackers to execute malicious code on the system.
This vulnerability is a problem because it could allow attackers to gain unauthorized access to the system, steal sensitive data, or disrupt the functioning of the Moodle platform, particularly since it affects teachers and managers who have elevated privileges.
This vulnerability allows a user enrolled in a Moodle course to access personal details, such as full names and profile image URLs, of other users without having the necessary permissions.
This vulnerability is a problem because it compromises the privacy of Moodle users by potentially exposing their personal information to unauthorized individuals, which could lead to identity theft, harassment, or other forms of exploitation.
The Moodle Brickfield tool has a flaw that allows a Cross-site request forgery (CSRF) risk because it lacks a necessary token to prevent unauthorized actions when analyzing requests.
This vulnerability is a problem because it enables an attacker to trick a user into performing unintended actions on the Moodle platform, potentially leading to unauthorized access, data modification, or other malicious activities.
This vulnerability in Moodle allows confidential information that protects against cross-site request forgery (CSRF) attacks to be shared publicly through the site's URL, specifically on edit and delete pages within the mod_data module.
This is a problem because it enables attackers to potentially bypass CSRF protections, allowing them to perform unauthorized actions on behalf of legitimate users, which could lead to data modification or deletion.
This vulnerability allows unauthorized users to access and view RSS feeds in Moodle due to insufficient capability checks, potentially exposing sensitive information.
This vulnerability is a problem because it can lead to unauthorized access to sensitive data, compromising user privacy and potentially allowing malicious actors to gather information that could be used for further attacks.
This vulnerability in Moodle allows an attacker to duplicate existing tours without logging in, by exploiting a lack of protection against cross-site request forgery (CSRF) attacks.
This is a problem because it enables unauthorized access and modification of Moodle tours, potentially disrupting the learning environment and causing confusion among users.
This vulnerability allows anonymous assignment submissions in Moodle to be identified through a search function, revealing the identities of students who were intended to remain anonymous.
This vulnerability is a problem because it compromises the anonymity of students, potentially infringing on their privacy and trust in the educational platform, and could have serious consequences in situations where anonymity is crucial, such as in sensitive or high-stakes assessments.
This vulnerability allows certain users to access sensitive information about other students in Moodle before those students have completed the two-factor authentication (2FA) verification process.
This is a problem because it compromises the security and privacy of student information, potentially exposing personal data to unauthorized individuals, even if 2FA is supposed to be in place to protect it.
This vulnerability allows hackers to access sensitive student information and block students from logging into their accounts, even if they have successfully completed two-factor authentication (2FA).
This vulnerability is a problem because it compromises the security and privacy of student data, and also denies students access to their accounts, potentially disrupting their learning activities.
The CVE-2025-32432 vulnerability allows an attacker to execute remote code on Craft CMS versions 3.0.0-RC1 to 3.9.14, 4.0.0-RC1 to 4.14.14, and 5.0.0-RC1 to 5.6.16, enabling them to run malicious code on the system.
This vulnerability is a significant issue because it enables attackers to gain control over the system, potentially leading to data breaches, malware installation, and other malicious activities, with a high impact and relatively low complexity to exploit.
This vulnerability allows users without necessary permissions to access hidden grades in certain grade reports due to insufficient capability checks in Moodle.
This vulnerability is a problem because it can lead to unauthorized access to sensitive information, potentially compromising student privacy and confidentiality, and undermining the integrity of the grading system.
This vulnerability in Moodle allows unauthenticated users to access sensitive user data, including names, contact information, and hashed passwords, through specific API calls that return stack traces.
This is a problem because it exposes private user information, which could be used for identity theft, phishing, or other malicious activities, potentially compromising the security and privacy of users on affected Moodle sites.
This vulnerability allows remote attackers who have authentication credentials to inject and execute arbitrary SQL commands into the EasyVirt DCScope and CO2Scope systems by manipulating various parameters in API requests, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it enables attackers to bypass normal security controls, access, modify, or delete sensitive data, and potentially disrupt the operation of the affected systems, leading to data breaches, system compromise, or other malicious activities.
This vulnerability allows students to enroll in Moodle courses without completing all required safety checks, including two-step verification processes, enabling premature course sign-ups.
This vulnerability is a problem because it bypasses essential security measures, potentially allowing unauthorized access to courses and sensitive information, which could compromise student data and the overall integrity of the learning environment.
This vulnerability allows attackers to manipulate the Printer Manager System of Entrust Corp Printer Manager version D3.18.4-3 and below, by sending a specially crafted POST request that can execute a directory traversal, potentially accessing or modifying files outside the intended directory.
This vulnerability is a problem because it enables unauthorized access and potential modification of sensitive files and directories, which could lead to data breaches, disruption of printing services, or even lateral movement within the network, compromising the security and integrity of the system.
The CVE-2024-57375 vulnerability allows an attacker with physical access to the Andamiro Pump It Up 20th Anniversary game system to crash the application by performing specific deselect actions.
This vulnerability is a problem because it can be exploited by an attacker to intentionally disrupt the game system, causing a denial of service and potentially resulting in financial losses or inconvenience to the game operators and players.
This vulnerability allows an unauthenticated attacker to manipulate Dynamic DNS (DDNS) traffic and force a buffer overflow on a modem, potentially giving them control over the device.
This vulnerability is a problem because it could allow an attacker to gain unauthorized access to a modem, potentially leading to further exploitation of the network and connected devices.
This CVE exposes a vulnerability in a device's web interface, specifically in the lighttpd web service running on ports TCP/3030 and TCP/9882, where an attacker can send a specially crafted HTTP request to exploit a stack buffer overflow due to insecure path parsing.
This vulnerability is a problem because it allows an attacker with access to the LAN network interface to potentially gain control of the device by overflowing the buffer, which could lead to unauthorized access, data theft, or disruption of service.
The WS Form LITE plugin for WordPress has a vulnerability that allows unauthorized access to its settings, including API keys, due to a missing capability check in the 'get_config' function.
This vulnerability is a problem because it enables unauthenticated attackers to read sensitive information, such as API keys for integrated services, which could be used for malicious purposes, including data breaches and unauthorized access to connected services.
The CVE-2025-2986 vulnerability in IBM Maximo Asset Management 7.6.1.3 allows a privileged user to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to the execution of malicious scripts.
This vulnerability is a problem because it can lead to credentials disclosure within a trusted session, potentially allowing attackers to gain unauthorized access to sensitive information and systems.
The Service Finder Bookings plugin for WordPress has a vulnerability that allows attackers to create an account with any role, including Administrator, when using social login, due to a lack of user role restrictions in the plugin's code.
This vulnerability is a significant issue because it enables unauthenticated attackers to gain administrative access to a WordPress site, potentially leading to unauthorized data access, modification, or deletion, as well as taking control of the entire site.
The JobSearch WP Job Board plugin for WordPress has a vulnerability that allows unauthenticated attackers to bypass authentication and log in as a connected Xing or Google user under certain conditions, specifically as the first connected Xing user or any connected Xing user if the Xing ID is known, or as the first connected Google user if they have not logged out in thirty days.
This vulnerability is a problem because it enables unauthorized access to user accounts, potentially leading to data breaches, account takeovers, and other malicious activities, which can compromise the security and integrity of the WordPress site and its users.
The Mayosis Core plugin for WordPress has a vulnerability that allows unauthorized access to read the contents of any file on the server, due to a flaw in the remote_dl.php file.
This vulnerability is a problem because it enables attackers to access sensitive information stored on the server, such as database credentials, encryption keys, or other confidential data, without needing to authenticate themselves.
The 1 Decembrie 1918 plugin for WordPress has a vulnerability that allows attackers to trick site administrators into performing unintended actions, such as updating settings or injecting malicious scripts, by sending forged requests that appear to come from the administrator.
This vulnerability is a problem because it enables unauthenticated attackers to gain unauthorized access to a WordPress site's settings and potentially inject malicious code, which could lead to security breaches, data theft, or malware distribution, all without the need for the attacker to have any legitimate credentials.
The BM Content Builder plugin for WordPress has a vulnerability that allows authenticated attackers with Subscriber-level access or higher to modify data and update arbitrary options on the site, potentially leading to privilege escalation.
This vulnerability is a problem because it enables attackers to gain administrative access to a vulnerable WordPress site by updating the default role for registration to administrator and enabling user registration, allowing them to create new administrator accounts and take control of the site.
The CVE-2025-46535 vulnerability allows unauthorized access to the AlphaEfficiencyTeam Custom Login and Registration system due to missing authorization and incorrectly configured access control security levels.
This vulnerability is a problem because it enables attackers to exploit the system's weak security controls, potentially leading to unauthorized data access, modification, or other malicious activities, which can compromise the security and integrity of the system and its users.
The CVE-2025-46482 vulnerability allows an attacker to inject malicious code into a website using the MyThemeShop WP Quiz plugin, which can lead to Stored Cross-site Scripting (XSS) attacks. This means an attacker can store malicious scripts on the website that will be executed when other users visit the site.
This vulnerability is a problem because it enables attackers to steal user data, take control of user accounts, or perform other malicious actions on the affected website. The severity of this issue is rated 6.5, indicating a moderate to high level of risk.
The Quantum StorNext Web GUI API has a vulnerability that allows unauthorized access to internal configuration settings and modification of software parameters using undocumented user credentials, affecting various StorNext products.
This vulnerability is a problem because it grants unauthorized users the ability to modify sensitive configuration settings, potentially disrupting the functionality and security of the affected systems, and allowing malicious activities to occur.
The CVE-2025-46616 vulnerability allows an attacker to remotely execute arbitrary code on a system by uploading a malicious file to the Quantum StorNext Web GUI API, affecting various StorNext products and ActiveScale Cold Storage.
This vulnerability is a problem because it enables attackers to gain control over the system, potentially leading to data breaches, unauthorized access, and other malicious activities, posing a significant threat due to its high severity score of 9.9.
The Custom Admin-Bar Favorites plugin for WordPress has a vulnerability that allows attackers to inject arbitrary web scripts into pages via the 'menuObject' parameter, due to insufficient input sanitization and output escaping, which can be triggered by tricking a user into clicking on a malicious link.
This vulnerability is a problem because it enables unauthenticated attackers to execute arbitrary scripts on a user's browser, potentially leading to unauthorized actions, data theft, or other malicious activities, all without needing direct access to the WordPress site.
The Ajax Comment Form CST plugin for WordPress has a vulnerability that allows attackers to trick site administrators into updating settings and injecting malicious web scripts without their knowledge, due to a lack of proper validation.
This vulnerability is a problem because it enables unauthenticated attackers to make unauthorized changes to a website's settings, potentially leading to malicious activities such as data theft, malware distribution, or defacement of the website, all by simply tricking an administrator into clicking on a link.
The Add Google +1 social share button plugin for WordPress has a vulnerability that allows attackers to trick site administrators into performing unintended actions, such as updating settings or injecting malicious scripts, by sending forged requests.
This vulnerability is a problem because it enables unauthenticated attackers to manipulate the website's settings and potentially inject malicious code, which could lead to security breaches, data theft, or other harmful consequences, all without needing direct access to the site's administration panel.
The Upsell Funnel Builder for WooCommerce plugin for WordPress has a vulnerability that allows attackers to manipulate orders, specifically changing the product associated with an order bump and the discount applied to it, by altering the additional product ID and discount field before the order is processed.
This vulnerability is a problem because it enables unauthenticated attackers to arbitrarily modify orders, potentially leading to financial losses or other malicious activities, such as changing the price of products or substituting products with others, all without needing to be logged in or having any authorized access.
The Vikinger theme for WordPress has a vulnerability that allows authenticated attackers with Subscriber-level access or higher to escalate their privileges to Administrator-level due to insufficient user_meta restrictions in the 'vikinger_user_meta_update_ajax' function.
This vulnerability is a problem because it enables attackers to gain high-level access to a WordPress site, potentially allowing them to modify sensitive data, install malware, or take control of the entire site, which can lead to significant security breaches and data losses.
The CVE-2025-46613 vulnerability in OpenPLC versions 3 through 64f9c11 causes memory corruption due to a thread accessing certain arguments after they are no longer available, leading to potential system instability or crashes.
This vulnerability is a problem because it can allow an attacker to potentially execute arbitrary code, gain unauthorized access, or disrupt the system's operation, which can have serious consequences in industrial control systems where OpenPLC is often used.
The Prevent Direct Access – Protect WordPress Files plugin has a vulnerability that allows attackers to potentially access sensitive files protected by the plugin, due to the insufficient randomness of generated file names.
This vulnerability is a problem because it enables unauthenticated attackers to extract sensitive data, including protected files, if they can guess or determine the file name, which could lead to unauthorized access and data breaches.
The Prevent Direct Access – Protect WordPress Files plugin has a vulnerability that allows authenticated attackers with Contributor-level access or higher to access and modify the protection status of media files, despite not being authorized to do so.
This vulnerability is a problem because it allows lower-level users to bypass security controls and make changes to sensitive media files, potentially leading to data breaches, unauthorized data modifications, or other malicious activities.
This vulnerability allows a remote attacker to send specially crafted UDP packets to certain Mitsubishi Electric Corporation modules, causing a Denial of Service (DoS) condition that disrupts the normal functioning of the products.
This vulnerability is a problem because it enables an unauthenticated attacker to remotely shut down or disrupt the operation of critical systems, potentially leading to downtime, loss of productivity, and other negative consequences, especially in industrial or manufacturing environments where these modules are typically used.
The Contact Form by Bit Form plugin for WordPress allows attackers to upload malicious SVG files that can inject arbitrary web scripts into pages, which will execute when a user accesses the file, due to insufficient input sanitization and output escaping.
This vulnerability is a problem because it enables authenticated attackers with Author-level access or higher to inject malicious scripts into pages, potentially leading to unauthorized actions, data theft, or other security breaches when users access the compromised SVG files.
The Icegram Express WordPress plugin has a flaw that allows high-privilege users, such as admins, to inject malicious code into template settings, potentially leading to Stored Cross-Site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to inject malicious scripts, which can be executed by other users, including those with lower privileges, potentially leading to unauthorized access, data theft, or other malicious activities, even in environments where certain privileges are restricted.
The CNCF K3s version 1.32 before 1.32.4-rc1+k3s1 has a configuration issue that sets the ReadOnlyPort to 10255, potentially allowing unauthenticated access to this port and exposing sensitive credentials.
This vulnerability is a problem because it could allow unauthorized access to sensitive information, including credentials, which could be used for malicious purposes, compromising the security of the system.
The ShopLentor WordPress plugin has a vulnerability that allows unauthorized attackers to make requests to any website or server, making it seem like the request is coming from the WordPress site itself, potentially allowing them to access or modify sensitive information on internal services.
This vulnerability is a problem because it enables attackers to bypass normal security restrictions and interact with internal services that are not directly accessible from the internet, which could lead to unauthorized data access, modification, or other malicious activities.
The Able Player plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into web pages via the 'preload' parameter, due to poor input sanitization and output escaping, affecting all versions up to 1.2.1.
This vulnerability is a problem because it enables authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts that will execute whenever a user accesses the injected page, potentially leading to unauthorized actions, data theft, or other malicious activities.
The CVE-2025-46595 vulnerability is a Cross Site Scripting (XSS) issue in the Flag module for Backdrop CMS, which allows an attacker to inject crafted HTML code into the website when a flag action is performed, potentially executing malicious scripts.
This vulnerability is a problem because it can allow an attacker to perform unauthorized actions on the website, such as stealing user data or taking control of user accounts, by exploiting the lack of verification of flag links and responses. Although the attacker needs a role with permission to create links on the website, this still poses a significant risk to the security of the website and its users.
The Sherpa Orchestrator web application is vulnerable to CSRF (Cross-Site Request Forgery) attacks, allowing an attacker to perform unauthorized actions such as conducting XSS (Cross-Site Scripting) attacks, adding new users or roles, or exploiting SQL injection issues.
This vulnerability is a problem because it enables an attacker to manipulate the web application and perform malicious actions without the user's knowledge or consent, potentially leading to data breaches, unauthorized access, or disruption of services.
The CVE-2025-46546 vulnerability allows an authenticated user to perform multiple time-based blind SQL injections in Sherpa Orchestrator 141851, targeting various API endpoints related to asset, file, process, and task management.
This vulnerability is a problem because it enables an attacker to extract or modify sensitive data from the database, potentially leading to unauthorized access, data breaches, or disruption of services, even if they only have authenticated access to the system.
The CVE-2025-46545 vulnerability in Sherpa Orchestrator allows an administrator to embed malicious code, known as a stored XSS attack, into the system through the license name parameter, which can be executed when the license expires.
This vulnerability is a problem because it enables malicious code to be stored and executed within the system, potentially allowing attackers to steal sensitive information, disrupt system operations, or take control of user sessions, even after the initial exploit has occurred.
The CVE-2025-46544 vulnerability in Sherpa Orchestrator allows a user with low privileges to gain higher-level access by creating new users and roles.
This vulnerability is a problem because it enables unauthorized users to escalate their privileges, potentially giving them control over sensitive systems and data, which could lead to security breaches, data theft, or disruption of services.
The CVE-2025-43865 vulnerability allows an attacker to modify pre-rendered data in React Router versions prior to 7.5.2 by adding a specific header to a request, enabling them to completely spoof the contents and alter the data object passed to the HTML.
This vulnerability is a problem because it enables attackers to manipulate the data displayed on a webpage, potentially leading to security issues such as phishing, data tampering, or other malicious activities, which can compromise user trust and confidentiality.
The CVE-2025-43864 vulnerability allows an attacker to force a React application using React Router to switch from Server-Side Rendering (SSR) to Single-Page Application (SPA) mode by adding a specific header to a request, causing a page error that can be cached by the system.
This vulnerability is a problem because it can lead to cache poisoning, where the cached error response is served to users, significantly impacting the application's availability and potentially causing widespread disruption to users.
The Vestel AC Charger version 3.75.0 contains a vulnerability that allows an attacker to access sensitive files, including those with credentials.
This vulnerability is a problem because it enables attackers to obtain sensitive information, such as credentials, which can be used to further compromise the device and potentially lead to unauthorized access or data breaches.
The ALBEDO Telecom Net.Time - PTP/NTP clock software release 1.4.4 has a vulnerability that allows an attacker to keep a session active indefinitely, potentially enabling them to transmit sensitive information, such as passwords, over unencrypted connections.
This vulnerability is a problem because it allows attackers to intercept sensitive information, including passwords, which could be used to gain unauthorized access to the system, compromising its security and potentially leading to further malicious activities.
This vulnerability allows an attacker to create a new administrator account on affected WGS-80HPT-V2 and WGS-4215-8T2S devices without needing any existing login credentials.
This is a significant issue because it enables unauthorized users to gain full administrative access to the devices, potentially leading to data breaches, system compromise, and other malicious activities.
The UNI-NMS-Lite system uses hard-coded credentials, allowing an unauthenticated attacker to access the managed database and perform actions such as reading, manipulating, and creating entries.
This vulnerability is a problem because it enables unauthorized users to gain control of the database, potentially leading to sensitive data exposure, modification, or deletion, which can have severe consequences for the security and integrity of the system.
The UNI-NMS-Lite system uses fixed, hard-coded login credentials, allowing an unauthorized attacker to potentially gain full administrative access to all devices managed by UNI-NMS.
This vulnerability is a significant issue because it enables an attacker to easily gain control over the entire network of managed devices without needing to guess or crack passwords, posing a substantial risk to the security and integrity of the system.
This vulnerability allows an unauthenticated attacker to inject commands into the WGS-80HPT-V2 and WGS-4215-8T2S systems, enabling them to execute operating system commands on the host system.
This is a significant issue because it permits unauthorized access to the system, potentially leading to data breaches, system compromise, and other malicious activities, all without the need for authentication.
The CVE-2025-46271 vulnerability allows an unauthenticated attacker to inject commands into UNI-NMS-Lite, giving them the ability to read or manipulate device data without authorization.
This vulnerability is a problem because it enables attackers to access and alter sensitive device information, potentially disrupting network operations, stealing confidential data, or using the compromised devices for further malicious activities, all without needing any legitimate credentials.
The Breeze Display plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages through a parameter called 'cal_size', which can execute when a user visits the infected page.
This vulnerability is a problem because it enables authenticated attackers with certain access levels to inject arbitrary web scripts, potentially leading to unauthorized actions, data theft, or other malicious activities on the affected website.
The eForm WordPress plugin has a vulnerability that allows attackers to inject malicious scripts into website pages, which will be executed when a user visits the infected page.
This vulnerability is a problem because it enables unauthenticated attackers to inject arbitrary web scripts, potentially leading to unauthorized access, data theft, or other malicious activities, compromising the security and integrity of the website and its users.
The ManageWiki MediaWiki extension has a vulnerability that allows an attacker to inject malicious code into the "Review Changes" dialog, which can then be executed in the context of the attacker's own session, potentially leading to cross-site scripting (XSS) attacks.
This vulnerability is a problem because it can allow an attacker to perform unauthorized actions, steal sensitive information, or take control of the user's session, which can compromise the security and integrity of the wiki and its users.
The ITC Systems Multiplan/Matrix OneCard platform version 3.7.4.1002 contains a SQL injection vulnerability in the Forgotpassword.aspx component, allowing attackers to inject malicious SQL code.
This vulnerability is a problem because it enables attackers to access, modify, or extract sensitive data from the database, potentially leading to unauthorized access, data breaches, or disruption of the system.
The CVE-2025-25777 vulnerability allows an attacker to access another user's profile in the Codeastro Bus Ticket Booking System by manipulating the user ID in the URL, bypassing authentication and authorization checks.
This vulnerability is a problem because it enables unauthorized access to sensitive user information, potentially leading to identity theft, data breaches, or other malicious activities, compromising user privacy and system security.
The CVE-2024-30127 vulnerability allows sensitive data to be cached due to missing "no cache" headers in HCL Leap, which means that confidential information can be stored and potentially accessed by unauthorized parties.
This vulnerability is a problem because it can lead to unauthorized access to sensitive data, compromising the confidentiality and security of the information. If an attacker gains access to the cached data, they may be able to exploit it for malicious purposes.
The CVE-2023-37516 vulnerability allows user directory information in HCL Leap to be cached due to missing "no cache" headers, potentially exposing sensitive data.
This vulnerability is a problem because it enables the caching of sensitive user directory information, which could be accessed by unauthorized parties, compromising user privacy and potentially leading to further security breaches.
The CVE-2022-44760 vulnerability allows the execution of unsafe JavaScript in deployed applications due to an unsafe default file type filter policy in HCL Leap.
This vulnerability is a problem because it enables attackers to execute malicious JavaScript code, potentially leading to unauthorized access, data breaches, or other security threats, compromising the security and integrity of the deployed applications.
This vulnerability allows an attacker to inject malicious scripts into deployed applications through improperly sanitized SVG files in HCL Leap.
This vulnerability is a problem because it enables client-side script injection, which can lead to unauthorized access, data theft, and other malicious activities, potentially compromising the security and integrity of the affected applications.
The iSTAR Configuration Utility (ICU) tool has a buffer overflow issue under certain circumstances, which means that more data is written to a buffer than it is designed to hold, potentially causing the program to crash or allowing malicious code to be executed.
This vulnerability is a problem because it could allow an attacker to gain unauthorized access to the system, execute malicious code, or cause the system to become unstable, potentially leading to data loss or disruption of service.
The CVE-2025-43859 vulnerability affects the h11 Python library, which implements HTTP/1.1, allowing for request smuggling due to lenient parsing of line terminators in chunked-coding message bodies.
This vulnerability is a problem because it can be exploited to smuggle malicious requests, potentially leading to unauthorized access, data breaches, or other security issues, especially when combined with a buggy proxy server.
The CVE-2025-43858 vulnerability allows malicious commands to be injected when using the YoutubeDLSharp wrapper to download videos on Windows, specifically when the `UseWindowsEncodingWorkaround` value is set to true, which is the default behavior for built-in methods.
This vulnerability is a problem because it enables attackers to execute arbitrary commands on a user's system, potentially leading to unauthorized access, data theft, or other malicious activities, especially since the default setting makes it difficult for users to disable the vulnerable behavior.
The SAP NetWeaver Visual Composer Metadata Uploader vulnerability allows an unauthenticated user to upload malicious executable files to the system without proper authorization.
This vulnerability is a problem because it enables attackers to upload harmful files that can severely damage the host system, compromising its confidentiality, integrity, and availability.