The CVE-2025-66372 vulnerability in Mustang versions before 2.16.3 allows attackers to exfiltrate files using XML External Entity (XXE) attacks, which can lead to unauthorized access to sensitive data.
This vulnerability is a problem because it enables malicious actors to extract confidential files from a system, potentially leading to data breaches, intellectual property theft, and other security incidents, compromising the confidentiality and integrity of the affected system.
The CVE-2025-66371 vulnerability in Peppol-py before version 1.1.1 allows an attacker to perform an XML eXternal Entity (XXE) attack, which enables the reading of files from the filesystem and exposes their content to a remote host when validating XML-based invoices.
This vulnerability is a problem because it allows unauthorized access to sensitive files on the system, potentially leading to data breaches and exposing confidential information to remote attackers.
The CVE-2025-66370 vulnerability allows an attacker to inject malicious XML code (XXE injection) into the Kivitendo system by uploading a specially crafted electronic invoice in the ZUGFeRD format, enabling them to read and extract files from the server's filesystem.
This vulnerability is a problem because it enables unauthorized access to sensitive files on the server, potentially leading to data breaches, intellectual property theft, and other malicious activities, compromising the security and confidentiality of the system.
The CVE-2025-64312 vulnerability allows unauthorized access to files due to a weakness in permission controls within the file management module.
This vulnerability is a problem because it can compromise the confidentiality of sensitive information and services, potentially leading to unauthorized data access or leaks.
The CVE-2025-58311 is a Use-After-Free (UAF) vulnerability in the USB driver module, which allows an attacker to access and manipulate memory that has already been freed, potentially leading to unauthorized actions.
This vulnerability is a problem because it can affect the availability and confidentiality of a system, allowing attackers to disrupt services, steal sensitive information, or gain unauthorized access, which can lead to significant security breaches and data losses.
The CVE-2025-58308 vulnerability is caused by an improper security check in the call module, which can lead to abnormal feature performance when exploited.
This vulnerability is a problem because it can cause features to malfunction, potentially leading to unexpected behavior, errors, or even more severe security issues, which can compromise the overall security and reliability of the system.
This vulnerability allows an attacker to bypass identity authentication in the Gallery app, potentially giving them unauthorized access to sensitive information.
This vulnerability is a problem because it compromises the confidentiality of the service, allowing attackers to access data they shouldn't have permission to see, which can lead to data breaches and other security issues.
The CVE-2025-58304 vulnerability allows unauthorized access to files due to a weakness in permission control within the file management module, potentially exposing sensitive information.
This vulnerability is a problem because it can compromise the confidentiality of services, allowing unauthorized parties to access restricted files and data, which could lead to data breaches or other security incidents.
The CVE-2025-58302 vulnerability allows unauthorized access to the Settings module due to a flaw in permission control, potentially exposing sensitive information.
This vulnerability is a problem because it can compromise the confidentiality of services, allowing unauthorized parties to access restricted data, which can lead to security breaches and data theft.
The Nextend Social Login and Register plugin for WordPress has a vulnerability that allows attackers to trick site administrators into unlinking a user's social login account through a forged request, due to a lack of proper validation.
This vulnerability is a problem because it enables unauthenticated attackers to manipulate site administrators into performing unintended actions, potentially leading to unauthorized access or disruption of social login accounts, which can compromise user identity and security.
The CVE-2025-64315 vulnerability is a configuration defect in the file management module, which can be exploited to compromise the security of an application's data.
This vulnerability is a problem because it can allow unauthorized access to sensitive application data, potentially leading to a breach of confidentiality and integrity, which can have serious consequences for users and the application itself.
The CVE-2025-64314 vulnerability allows unauthorized access to sensitive areas of a system's memory due to a flaw in permission control within the memory management module.
This vulnerability is a problem because it can compromise the confidentiality of sensitive information stored in the system's memory, potentially leading to data breaches or unauthorized exposure of confidential data.
This vulnerability allows an attacker to cause a denial of service (DoS) in the office service, which means they can disrupt or shut down the service, making it unavailable to users.
This vulnerability is a problem because it can affect the availability of the office service, leading to downtime and potential losses in productivity, which can have significant impacts on businesses or organizations that rely on the service.
The CVE-2025-64311 is a permission control vulnerability found in the Notepad module, which allows unauthorized access to sensitive information.
This vulnerability is a problem because it can compromise service confidentiality, meaning that sensitive data may be exposed to unauthorized parties, potentially leading to data breaches or other security issues.
This vulnerability allows an attacker to launch a Denial of Service (DoS) attack on the video-related system service module, potentially crashing or disrupting the service.
This vulnerability is a problem because it can affect the availability of the system or service, making it inaccessible to users, which can lead to downtime, loss of productivity, and other negative consequences.
This vulnerability allows unauthorized access to the Wi-Fi module due to a flaw in permission control, potentially exposing sensitive information.
This vulnerability is a problem because it can compromise the confidentiality of services, allowing unauthorized parties to access restricted data, which can lead to security breaches and data theft.
This vulnerability allows unauthorized access to invalid memory in a component driver module, potentially causing the system to crash or reveal sensitive information.
This vulnerability is a problem because it can impact the availability and confidentiality of a system, meaning that it could cause the system to become unresponsive or leak sensitive data, which can lead to significant disruptions and security breaches.
The CVE-2025-58312 vulnerability affects the App Lock module by allowing unauthorized access due to a permission control issue, potentially disrupting the normal functioning of the application.
This vulnerability is a problem because it could lead to a loss of availability, meaning that users may not be able to access the application or its features when needed, which can cause inconvenience, loss of productivity, or even financial losses.
The CVE-2025-58310 is a permission control vulnerability in a distributed component, which means it can allow unauthorized access to sensitive areas of a system or service.
This vulnerability is a problem because it can compromise the confidentiality of a service, potentially allowing attackers to access sensitive information that they should not have permission to access, which can lead to data breaches or other security issues.
This vulnerability allows unauthorized access to the startup recovery module due to a flaw in permission control, potentially disrupting the system's normal functioning and exposing sensitive information.
This vulnerability is a problem because it can compromise the availability and confidentiality of the system, allowing attackers to disrupt services, steal data, or carry out other malicious activities, which can lead to significant financial and reputational damage.
This vulnerability, known as a Use-After-Free (UAF) vulnerability, occurs in the screen recording framework module, allowing an attacker to potentially access and manipulate memory that has already been freed.
This vulnerability is a problem because it could lead to a denial-of-service attack, causing the system to become unstable or crash, which may affect the availability of the system, resulting in downtime and potential data loss.
This vulnerability allows an attacker to exploit a Use-After-Free (UAF) flaw in the screen recording framework module, potentially enabling them to access or manipulate sensitive data or system resources after they have been freed.
This vulnerability is a problem because it could be used by attackers to disrupt system availability, potentially leading to crashes, freezes, or other service disruptions, which can result in data loss, downtime, and other significant consequences.
The CVE-2025-58294 vulnerability allows unauthorized access to the print module due to inadequate permission controls, potentially exposing sensitive information.
This vulnerability is a problem because it can compromise the confidentiality of services, allowing unauthorized users to access restricted data, which can lead to security breaches and data leaks.
The Logpoint system before version 7.7.0 has a vulnerability where sensitive information is exposed in System Processes for a longer period than usual when the system is under high CPU load.
This vulnerability is a problem because it allows unauthorized access to sensitive information, potentially leading to data breaches or other security issues, especially during periods of high system stress.
The CVE-2025-66360 vulnerability occurs in Logpoint versions before 7.7.0, where an improperly configured access control policy allows li-admin users to access sensitive internal service information, specifically Redis data, which can be used for privilege escalation.
This vulnerability is a problem because it exposes sensitive information to users who should not have access to it, potentially allowing them to gain higher levels of access and control within the system, which can lead to unauthorized actions and data breaches.
The CVE-2025-66359 vulnerability allows an attacker to inject malicious code into Logpoint systems before version 7.7.0, due to insufficient input validation and lack of output escaping, leading to cross-site scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to execute malicious scripts on users' browsers, potentially stealing sensitive information, hijacking user sessions, or performing unauthorized actions, which can compromise the security and integrity of the system.
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority, indicating it is not a valid vulnerability.
It's not a problem as the CVE has been rejected, and no actual vulnerability exists to exploit.
The CVE-2025-3261 vulnerability allows an authenticated user to upload malicious SVG images to ThingsBoard, which can lead to Stored Cross-Site Scripting (XSS) attacks when other users access these images through the public API endpoint or embedded iframes.
This vulnerability is a problem because it enables attackers to execute malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions, such as data theft or system manipulation.
This vulnerability allows an authenticated user to take over another user's account by exploiting a flaw in the authentication process, specifically when switching authentication methods and using a specially crafted email address to send a request to the code-exchange endpoint.
This vulnerability is a problem because it enables account takeover, which can lead to unauthorized access to sensitive information and potential data breaches, compromising the security and integrity of the affected system.
This vulnerability in Mattermost allows any authenticated user to view team email addresses that should only be visible to Team Admins, by accessing a specific endpoint (/api/v4/channels/{channel_id}/common_teams) via a GET request.
This is a problem because it exposes sensitive information (team email addresses) to unauthorized users, potentially leading to spam, phishing attacks, or other security breaches.
The CVE-2025-13765 vulnerability exposes email service credentials to users without administrative rights in Devolutions Server, specifically affecting versions before 2025.2.21 and 2025.3.9.
This vulnerability is a problem because it allows unauthorized access to sensitive email service credentials, potentially leading to email account compromise, data breaches, and other malicious activities.
The CVE-2025-13758 vulnerability exposes credentials in unintended requests in Devolutions Server, affecting versions through 2025.2.20 and 2025.3.8.
This vulnerability is a problem because it allows unauthorized access to sensitive credentials, potentially leading to data breaches, unauthorized account access, and other security threats.
The CVE-2025-13757 vulnerability allows an attacker to inject malicious SQL code into the last usage logs of Devolutions Server, potentially enabling them to access or manipulate sensitive data.
This vulnerability is a problem because it could allow unauthorized access to sensitive information, compromise the integrity of the data, or even lead to a full takeover of the affected system, ultimately putting the security and privacy of the users' data at risk.
This vulnerability allows an authenticated attacker with certain privileges to take over any user account in Mattermost by manipulating authentication data during the OpenID Connect authentication process, due to the failure to properly validate OAuth state tokens.
This is a significant problem because it enables an attacker to gain unauthorized access to user accounts, potentially leading to sensitive data breaches, privilege escalation, and other malicious activities, especially given the high severity score of 9.9.
This vulnerability allows an attacker to inject shell commands into the network diagnostics tool of SDMC NE6037 routers with firmware prior to version 7.1.12.2.44, potentially giving them control over the device.
This vulnerability is a problem because it could allow an attacker who has access to the router's administrative portal to execute arbitrary commands, potentially leading to unauthorized access, data theft, or disruption of the network.
The Unlimited Elements For Elementor plugin for WordPress allows attackers to upload malicious SVG files, which can inject arbitrary web scripts into pages, executing them whenever a user accesses the file.
This vulnerability is a problem because it enables unauthenticated attackers to inject malicious scripts, potentially leading to unauthorized access, data theft, or other harmful activities, even after the premium version of the plugin is deactivated or uninstalled.
The application has a vulnerability in its 'redirectToUrl' mechanism, which allows an attacker to execute arbitrary code by manipulating the 'redirectUrlParameter' parameter, as it incorrectly interprets user input as Java code.
This vulnerability is a problem because it enables unauthenticated attackers to perform arbitrary code execution, potentially leading to unauthorized access, data breaches, or other malicious activities, compromising the security and integrity of the application.
The Folders plugin for WordPress has a vulnerability that allows authenticated attackers with Contributor-level access or higher to move any folder contents to any other folder without proper authorization.
This vulnerability is a problem because it enables attackers to modify and reorganize sensitive data within a WordPress site, potentially disrupting the site's organization and functionality, and possibly leading to further malicious activities.
This vulnerability in Apache CloudStack allows authorized users to access information beyond their intended scope through certain APIs, including createNetworkACL, listNetworkACLs, listResourceDetails, listVirtualMachinesUsageHistory, and listVolumesUsageHistory, due to insufficient permission validation.
This vulnerability is a problem because it can lead to unauthorized disclosure of sensitive information, potentially allowing malicious actors to gain valuable insights into the system's configuration and usage patterns, which could be used for further exploitation.
The CVE-2025-59302 vulnerability allows for improper control of code generation, specifically code injection, in certain Apache CloudStack APIs that are only accessible to administrators, including quotaTariffCreate, quotaTariffUpdate, createSecondaryStorageSelector, updateSecondaryStorageSelector, updateHost, and updateStorage.
This vulnerability is a problem because it enables potential attackers with administrative access to inject malicious code, which could lead to unauthorized control and manipulation of the system, compromising its security and integrity.
The CVE-2025-54057 vulnerability allows for improper neutralization of script-related HTML tags in a web page, leading to a basic Cross-Site Scripting (XSS) attack in Apache SkyWalking versions 10.2.0 and earlier.
This vulnerability is a problem because it enables attackers to inject malicious scripts into web pages, potentially allowing them to steal user data, take control of user sessions, or perform other unauthorized actions.
The CVE-2025-59890 vulnerability allows an attacker with local access to exploit improper input sanitization in the Eaton Galileo software's file archives upload functionality, potentially enabling them to execute unauthorized code or commands by traversing paths.
This vulnerability is a problem because it could allow an attacker to gain unauthorized access to the system, execute malicious code, or run commands that could compromise the security and integrity of the data and system, potentially leading to data breaches, system crashes, or other malicious activities.
The CVE-2025-13742 vulnerability allows an attacker to inject HTML or Markdown formatting into emails sent by pretix by including maliciously formatted text in their name, which can then be rendered as HTML in the resulting email.
This vulnerability is a problem because it can be used to manipulate emails and make user-provided content appear trustworthy and credible, potentially leading to phishing attacks where attackers can trick recipients into taking unintended actions.
The WP Fastest Cache plugin for WordPress has a vulnerability that allows authenticated attackers with Subscriber-level access or higher to modify data without proper authorization, potentially initiating database fix actions.
This vulnerability is a problem because it enables low-level users to perform actions that could compromise the integrity of the database, potentially leading to data corruption or other security issues, especially on sites with the premium version activated.
This vulnerability allows malicious files to be uploaded and used to execute script code when a user clicks on a link controlled by an attacker, enabling unintended actions to be performed within the user's account.
This is a problem because it can lead to the execution of unauthorized actions in the context of a user's account, potentially resulting in the theft of sensitive information.
This vulnerability allows malicious email content to execute script code, enabling unintended actions to be performed under the user's account, potentially leading to the theft of sensitive information.
This vulnerability is a problem because it can be used to gain unauthorized access to a user's account and sensitive data, which could result in data breaches, identity theft, and other malicious activities.
This vulnerability allows malicious script code to be injected into office documents, which can then be executed when the document is edited, potentially leading to unintended actions being taken on the user's account.
This is a problem because it could result in sensitive information being stolen (exfiltrated) from the user's account, and other unauthorized actions being performed, all without the user's knowledge or consent.
This vulnerability allows malicious script code to be executed when a user follows a link to malicious content that was uploaded as a file, potentially leading to unintended actions being taken within the user's account.
This is a problem because it could result in sensitive information being stolen (exfiltrated) from the user's account, and the malicious actions would appear to come from the legitimate user, potentially causing further security issues.
The AI ChatBot with ChatGPT and Content Generator plugin for WordPress has a vulnerability that allows unauthorized access to upload media files due to a missing capability check in the 'ays_chatgpt_save_wp_media' function.
This vulnerability is a problem because it enables unauthenticated attackers to upload malicious media files to a WordPress site, potentially leading to security breaches, malware distribution, or other malicious activities.
The AI ChatBot with ChatGPT and Content Generator plugin for WordPress has a vulnerability that allows unauthorized attackers to make requests to any location on the internet from the WordPress website, potentially accessing or modifying internal services.
This vulnerability is a problem because it enables attackers to use the website as a proxy to access internal networks or services, potentially leading to data breaches, unauthorized modifications, or other malicious activities, all without needing to authenticate with the website.
The Quick View for WooCommerce plugin for WordPress has a vulnerability that allows unauthorized access to private product information through a specific AJAX endpoint, potentially exposing sensitive data.
This vulnerability is a problem because it enables attackers to extract data from private products without authentication, compromising the confidentiality of sensitive information and potentially leading to unauthorized access or misuse.
The Blubrry PowerPress plugin for WordPress allows attackers to upload any type of file to the site's server, even if the file type is not supposed to be allowed, because the plugin doesn't properly check and stop invalid file uploads.
This vulnerability is a problem because it lets attackers with certain levels of access upload malicious files that could allow them to take control of the site remotely, potentially leading to data theft, site defacement, or other harmful activities.
The Hide Category by User Role for WooCommerce plugin for WordPress has a vulnerability that allows unauthorized users to clear the site's object cache by sending fake requests, which can be done without needing to log in to the site.
This vulnerability is a problem because it can be used by attackers to intentionally slow down or disrupt the performance of a WordPress site, potentially causing issues for users and administrators.
The QODE Wishlist for WooCommerce plugin for WordPress has a vulnerability that allows unauthorized users to modify and update the public view of any wishlist, due to a lack of validation on a user-controlled key in the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function.
This vulnerability is a problem because it enables attackers to alter wishlists without permission, potentially leading to unauthorized changes, data manipulation, and exposure of sensitive information, which can compromise the security and integrity of the WordPress site and its users' data.
The WP Directory Kit plugin for WordPress has a vulnerability that allows attackers to inject arbitrary web scripts into pages through a parameter called 'order_by', which can be executed if a user is tricked into clicking on a malicious link.
This vulnerability is a problem because it enables unauthenticated attackers to perform Reflected Cross-Site Scripting attacks, potentially stealing user data, taking control of user sessions, or performing other malicious actions on the affected website.
The Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress has a vulnerability that allows an attacker to trick a site administrator into disconnecting the site from the Opinion Stage platform integration via a forged request, without needing to be authenticated.
This vulnerability is a problem because it enables unauthenticated attackers to interfere with the site's integration with the Opinion Stage platform, potentially disrupting the site's functionality and causing unintended changes, all by tricking an administrator into taking a simple action like clicking on a link.
The StaffList plugin for WordPress has a vulnerability that allows attackers with administrator-level permissions to inject malicious scripts into website pages through the admin settings, due to poor input validation and output escaping.
This vulnerability is a problem because it enables authenticated attackers to execute arbitrary web scripts on pages, potentially leading to unauthorized actions, data theft, or malware distribution, affecting users who access the compromised pages, particularly in multi-site installations or where unfiltered_html has been disabled.
The Customer Reviews Collector for WooCommerce plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into website pages through a parameter called 'email-text', which can be executed when a user clicks on a specially crafted link.
This vulnerability is a problem because it enables unauthenticated attackers to trick users into performing actions that can lead to the execution of arbitrary web scripts, potentially stealing sensitive information, taking control of user accounts, or conducting other malicious activities.
The SKT PayPal for WooCommerce plugin for WordPress has a vulnerability that allows attackers to bypass payment processing, enabling them to make confirmed purchases without actually paying for them.
This vulnerability is a problem because it can lead to significant financial losses for online businesses using the affected plugin, as attackers can exploit it to obtain products or services without making payments, undermining the integrity of the payment process.
The Cleartext Storage of Sensitive Information Vulnerability in GX Works2 allows an attacker to access credential information stored in plaintext from project files, potentially enabling them to open protected project files and obtain or modify sensitive project information.
This vulnerability is a problem because it exposes sensitive credential information, which can be used by attackers to gain unauthorized access to project files, potentially leading to data breaches, tampering, or theft of confidential information.
The Tiger theme for WordPress has a vulnerability that allows authenticated users with Subscriber-level access or higher to elevate their privileges to administrator level by exploiting the $user->set_role() function.
This vulnerability is a problem because it enables attackers to gain high-level access to a WordPress site, potentially allowing them to modify sensitive data, install malicious plugins, or take control of the entire site, compromising its security and integrity.
The Tiger theme for WordPress has a vulnerability that allows attackers to gain administrator access to a site by exploiting a weakness in the 'paypal-submit.php' file, which does not properly restrict user roles during registration, enabling unauthenticated attackers to register as administrators.
This vulnerability is a significant issue because it allows unauthorized users to gain full control over a WordPress site, potentially leading to data breaches, malware distribution, and other malicious activities, posing a substantial risk to the site's security and integrity.
The Tiare Membership plugin for WordPress has a vulnerability that allows unauthenticated attackers to gain administrator access to a site by registering with the 'administrator' role, due to a lack of restriction on user roles during registration.
This vulnerability is a significant issue because it enables attackers to easily gain full control over a WordPress site, potentially leading to data breaches, malware distribution, and other malicious activities, without requiring any authentication or prior access.
The FindAll Membership plugin for WordPress has a vulnerability that allows unauthorized users to bypass authentication and log in as administrative users, given they have an existing account on the site and access to the administrative user's email.
This vulnerability is a significant issue because it enables attackers to gain administrative access to a WordPress site without needing a password, allowing them to perform malicious actions such as modifying site content, installing malware, or stealing sensitive data.
The FindAll Listing plugin for WordPress has a vulnerability that allows unauthenticated attackers to register as administrators on a site by exploiting a function that doesn't restrict user roles during registration, potentially giving them full control over the site.
This vulnerability is a significant issue because it enables attackers to gain administrator access to a WordPress site, allowing them to perform any action they want, including modifying content, installing malware, and stealing sensitive information, which can lead to severe consequences for the site's security and integrity.
The CVE-2025-12758 vulnerability affects versions of the package validator before 13.15.22, where the isLength() function fails to properly account for Unicode variation selectors, leading to incorrect string length calculations. This allows strings to be accepted as valid even if they are significantly longer than intended.
This vulnerability is a problem because it can cause issues such as data truncation in databases, buffer overflows in other system components, or denial-of-service attacks, ultimately compromising the security and reliability of the application.
The Simple Folio plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages using the 'portfolio_name' parameter, due to poor input validation and output escaping, which can lead to the execution of arbitrary web scripts when a user visits the infected page.
This vulnerability is a problem because it enables authenticated attackers with minimal permissions (Subscriber-level access or higher) to inject harmful scripts, potentially leading to unauthorized actions, data theft, or further exploitation of the website.
The CVE-2025-66314 vulnerability allows unauthorized access to certain functionalities in ZTE ElasticNet UME R32 on Linux due to improper privilege management, bypassing the normal access controls defined by Access Control Lists (ACLs).
This vulnerability is a problem because it enables attackers to perform actions that they should not be able to, potentially leading to data breaches, system compromise, or disruption of services, which can have serious consequences for the security and integrity of the affected systems.
The Anyscale Ray 2.52.0 has a default configuration that disables token-based authentication for management interfaces, allowing remote attackers to submit jobs and execute arbitrary code on the cluster if they have network access.
This vulnerability is a problem because it allows unauthorized access to the Ray cluster, enabling attackers to execute arbitrary code and potentially gain control over the system, leading to security breaches and data compromises.
The CVE-2025-13762 vulnerability allows an attacker to cause a Denial of Service (DoS) when a user tries to start a new Secure Web Sessions (SWS) session using the CyberArk Secure Web Sessions Extension on Chrome or Edge browsers, due to improper input validation.
This vulnerability is a problem because it can prevent users from accessing secure web sessions, potentially disrupting business operations and causing inconvenience to users who rely on these sessions.
The Soundslides plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages using the soundslides shortcode, due to poor input validation and output escaping of user-supplied attributes.
This vulnerability is a problem because it enables authenticated attackers with Contributor-level access or higher to execute arbitrary web scripts on pages, potentially leading to unauthorized actions, data theft, or other malicious activities whenever a user visits the compromised page.
The Shouty plugin for WordPress allows attackers to inject arbitrary web scripts into pages due to a vulnerability in the shouty shortcode, which doesn't properly sanitize and escape user-supplied input, enabling the execution of malicious scripts when a user accesses an infected page.
This vulnerability is a problem because it enables authenticated attackers with Contributor-level access or higher to inject malicious scripts into WordPress pages, potentially leading to unauthorized access, data theft, or other malicious activities, compromising the security and integrity of the website.
The wp-twitpic plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages using the 'twitpic' shortcode, due to insufficient input sanitization and output escaping, affecting all versions up to 1.0.
This vulnerability is a problem because it enables authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts that will execute when a user accesses the compromised page, potentially leading to unauthorized actions, data theft, or further malicious activities.
The Google Drive upload and download link plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages via a specific shortcode, which can then execute when a user visits the infected page.
This vulnerability is a problem because it enables authenticated attackers with certain access levels to inject arbitrary web scripts, potentially leading to unauthorized actions, data theft, or further exploitation of the website.
The SortTable Post plugin for WordPress has a vulnerability that allows attackers to inject malicious scripts into pages using the 'id' parameter in the sorttablepost shortcode, due to insufficient input sanitization and output escaping.
This vulnerability is a problem because it enables authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that will execute when a user interacts with an infected page, potentially leading to unauthorized actions, data theft, or other malicious activities.
The Reuters Direct plugin for WordPress has a vulnerability that allows unauthorized modification of its data, specifically enabling unauthenticated attackers to reset the plugin's settings by exploiting a missing capability check on the 'logoff' action.
This vulnerability is a problem because it allows attackers to alter the plugin's settings without permission, potentially disrupting the functionality of the WordPress site and causing unintended changes or security issues.
The Reuters Direct plugin for WordPress has a vulnerability that allows attackers to trick site administrators into resetting the plugin's settings without their knowledge or consent, by sending forged requests to the site.
This vulnerability is a problem because it enables unauthenticated attackers to alter the plugin's settings, potentially disrupting the site's functionality or leading to unauthorized access, which could compromise the site's security and integrity.
A vulnerability in Automated Logic and Carrier's Zone Controller, which uses the BACnet protocol, can cause the device to crash and enter a fault state. After resetting, a second malicious packet can render the device permanently unresponsive, requiring a manual power cycle to recover.
This vulnerability is a problem because it allows an attacker to disrupt the functionality of the Zone Controller, potentially leading to loss of control over building automation systems, causing inconvenience, and requiring manual intervention to restore functionality.
The CVE-2025-0657 vulnerability allows an attacker to send malformed packets through a BACnet MS/TP network to Automated Logic and Carrier i-Vu Gen5 routers, causing the devices to enter a fault state and lose network visibility.
This vulnerability is a problem because it can disrupt the normal functioning of affected devices, requiring a manual power cycle to restore network connectivity, which can lead to downtime, increased maintenance costs, and potential security risks.
This vulnerability allows a malicious actor to inject malicious code into the login panels of ALC WebCTRL and Carrier i-Vu systems (versions older than 8.0), which can lead to reflective cross-site scripting (XSS) attacks that compromise the client browser.
This vulnerability is a problem because it enables attackers to manipulate the client browser, potentially stealing sensitive information, taking control of user sessions, or performing unauthorized actions on behalf of the user, which can lead to security breaches and data theft.
This vulnerability allows an attacker to bypass security restrictions in ALC WebCTRL and Carrier i-Vu systems, potentially exposing sensitive information through the web-based building automation server.
This vulnerability is a problem because it can give unauthorized access to sensitive information and systems, potentially leading to data breaches, unauthorized changes to building automation systems, and other security incidents.
The CVE-2025-66040 vulnerability allows attackers to inject JavaScript code into a user's browser during the OAuth authentication process for the Spotify Web API, using the Spotipy Python library, by exploiting an unsanitized error parameter in the OAuth callback server.
This vulnerability is a problem because it enables attackers to execute arbitrary JavaScript code in the user's browser, potentially leading to unauthorized access, data theft, or other malicious activities, compromising the security and privacy of users' accounts and information.
The CVE-2025-66035 vulnerability allows for the leakage of a Cross-Site Request Forgery (XSRF) token in Angular applications using protocol-relative URLs in HTTP clients, potentially disclosing sensitive information to an attacker-controlled domain.
This vulnerability is a problem because it can lead to unauthorized access and actions on a user's behalf, as the leaked XSRF token can be used by an attacker to bypass security measures and perform malicious requests.
The CVE-2025-66031 vulnerability allows attackers to craft special input that causes the node-forge library to recursively parse it without limits, leading to a Denial-of-Service (DoS) attack when handling untrusted data.
This vulnerability is a problem because it enables remote, unauthenticated attackers to cause a service disruption by exhausting the system's resources, making it unavailable to legitimate users.
The CVE-2025-66030 vulnerability is an Integer Overflow issue in the node-forge library, which allows remote attackers to manipulate ASN.1 structures and disguise untrusted identifiers as trusted ones by exploiting 32-bit bitwise truncation.
This vulnerability is a problem because it enables attackers to bypass security checks that rely on identifier verification, potentially leading to unauthorized access or malicious activities, as the truncated identifiers may be mistakenly trusted by downstream security mechanisms.
The CVE-2025-64344 vulnerability in Suricata, a network security engine, allows a stack overflow to occur when working with large buffers in Lua scripts, which can be triggered by users of Lua rules and output scripts, particularly when a rule passes a large buffer to a Lua script.
This vulnerability is a problem because it can lead to a stack overflow, potentially causing the system to crash or become unstable, and may allow attackers to execute arbitrary code, compromising the security of the network.
The CVE-2025-64335 vulnerability causes a NULL dereference in Suricata, a network security engine, when a specific keyword ("entropy") is used together with "base64_data". This occurs in Suricata versions 8.0.0 to 8.0.1.
This vulnerability is a problem because it can potentially cause Suricata to crash or become unstable when encountering specific rules, which can lead to a disruption in network security monitoring and protection, allowing potential threats to go undetected.
The CVE-2025-64334 vulnerability allows compressed HTTP data to cause unbounded memory growth during decompression in Suricata, a network security engine, affecting versions 8.0.0 to 8.0.2.
This vulnerability is a problem because it can lead to excessive memory consumption, potentially causing the system to crash or become unresponsive, which can disrupt network security monitoring and protection.
The CVE-2025-64333 vulnerability causes Suricata, a network security engine, to crash due to a stack overflow when logging large HTTP content types.
This vulnerability is a problem because it can lead to a denial-of-service (DoS) condition, where Suricata becomes unresponsive and unable to inspect network traffic, potentially allowing malicious activity to go undetected.
The CVE-2025-64332 vulnerability causes a stack overflow in Suricata, a network security engine, when SWF decompression is enabled, leading to a crash.
This vulnerability is a problem because it can be exploited to disrupt the normal functioning of Suricata, potentially allowing malicious traffic to go undetected and compromising the security of the network.
The CVE-2025-64331 vulnerability allows a stack overflow to occur in Suricata, a network security engine, when handling large HTTP file transfers with increased response body limits and enabled logging of printable HTTP bodies.
This vulnerability is a problem because it can cause a stack overflow, potentially leading to a crash or allowing an attacker to execute arbitrary code, which could compromise the security of the system and allow unauthorized access or data breaches.
The CVE-2025-64330 vulnerability is a heap overflow issue in the Suricata network IDS, IPS, and NSM engine that occurs when logging verdicts in certain records, potentially causing the system to crash. This happens when the per-packet alert queue is filled with alerts and followed by a pass rule.
This vulnerability is a problem because it can lead to system crashes, resulting in downtime and potential security breaches. An attacker could exploit this issue to disrupt the normal functioning of the Suricata engine, compromising the security of the network it is supposed to protect.
The CVE-2025-62593 vulnerability allows attackers to exploit a critical Remote Code Execution (RCE) flaw in the Ray AI compute engine, versions prior to 2.52.0, by manipulating the User-Agent header in browser requests, making it possible to execute malicious code when a developer visits a malicious website or is served a malicious advertisement.
This vulnerability is a problem because it enables attackers to execute arbitrary code on a developer's system, potentially leading to unauthorized access, data theft, or other malicious activities, simply by tricking the developer into visiting a malicious website or serving them a malicious ad, which can be done through various means, including DNS rebinding attacks.
The XML-Sig vulnerability for Perl allows an attacker to bypass validation checks by removing the signature from an XML document, causing the module to incorrectly verify the file as valid even though it lacks a signature.
This vulnerability is a problem because it enables attackers to manipulate XML files without being detected, potentially leading to fraudulent activities or data tampering, as unsigned XML files are not properly validated and can be passed off as legitimate.
This vulnerability allows an unauthenticated remote attacker to download a compressed configuration backup from the ACE SECURITY WIP-90113 HD camera through the /web/cgi-bin/hi3510/backup.cgi endpoint, which may contain administrative credentials and sensitive device settings.
This is a problem because it enables an attacker to obtain sensitive information, including administrative credentials, without needing any authentication or authorization, which could be used to further compromise the camera or the connected network.
The CVE-2020-36873 vulnerability allows an unauthenticated remote attacker to download a compressed configuration backup from Astak CM-818T3 wireless security surveillance cameras without needing a password or permission, potentially exposing administrative credentials and sensitive device settings.
This vulnerability is a problem because it enables attackers to obtain sensitive information, including administrative credentials, which could be used to further compromise the camera or the connected network, potentially leading to unauthorized access, data breaches, or other malicious activities.
The CVE-2020-36872 vulnerability allows a remote attacker to crash the BACnet Test Server by sending a malformed packet with an incorrect BVLC Length value, causing the server to fail and resulting in a denial of service.
This vulnerability is a problem because it enables an unauthenticated attacker to disrupt the service of the BACnet Test Server, potentially causing significant disruptions to building automation and control systems that rely on this server, and leading to downtime and potential security breaches.
The CVE-2020-36871 vulnerability allows anyone to remotely download a backup of the camera's configuration from the ESCAM QD-900 WIFI HD camera without needing a password or permission, potentially exposing sensitive information like admin credentials and device settings.
This vulnerability is a problem because it lets unauthorized people access sensitive camera settings and credentials, which could be used to further compromise the camera or the network it's connected to, potentially leading to unauthorized access, data theft, or other malicious activities.
The CVE-2019-25227 vulnerability allows unauthorized access to the configuration files of Tellion HN-2204AP routers through a specific endpoint, enabling the download of a compressed archive containing sensitive device settings without requiring a password or authentication.
This vulnerability is a problem because it exposes sensitive information such as administrative credentials, wireless keys, and other critical settings, which can be used by attackers to gain further access to the device or the entire network, potentially leading to more severe security breaches.
The CVE-2019-25226 vulnerability allows an attacker to remotely access and download the configuration files of a Dongyoung Media DM-AP240T/W wireless access point without needing a password or any authorization. This configuration file is a compressed archive that may contain sensitive information such as admin credentials.
This vulnerability is a problem because it enables an unauthorized attacker to obtain sensitive information about the device and its network settings, which can be used to launch further attacks or take control of the device and network.