This vulnerability allows for improper authorization in IROAD Dash Cam X5 and Dash Cam X6 devices, which can be exploited remotely, potentially giving unauthorized access to the device.
This is a significant issue because it could allow attackers to gain control of the device without permission, which could lead to unauthorized data access, theft, or other malicious activities, especially since the devices are connected to vehicles and may store sensitive information.
The CVE-2025-2344 vulnerability allows unauthorized access to the IROAD Dash Cam X5 and X6 devices through a missing authentication flaw in the API Endpoint, which can be exploited remotely.
This vulnerability is a problem because it enables attackers to access the device without any authentication, potentially allowing them to steal sensitive information, disrupt device functionality, or use the device for malicious purposes, all of which can be done from a remote location.
This vulnerability allows an attacker to access hard-coded credentials in IROAD Dash Cam X5 and X6 devices, potentially due to a flaw in the device pairing functionality, by manipulating the system from within the local network.
This is a problem because it could allow unauthorized access to sensitive information and potentially compromise the security of the device and the network it's connected to, especially since the attack can be carried out with the device's own built-in credentials.
This vulnerability allows attackers to access hard-coded credentials in the IROAD X5 Mobile App on Android devices, specifically targeting an unknown function of the API Endpoint component, and can be launched remotely.
This is a problem because it enables unauthorized access to sensitive information, potentially allowing attackers to take control of affected devices or steal sensitive data, and the fact that the exploit has been publicly disclosed increases the risk of it being used by malicious actors.
The CVE-2025-2341 vulnerability allows an attacker to use default credentials on an IROAD Dash Cam X5 by manipulating the SSID component, but only if the attack is initiated within the local network.
This vulnerability is a problem because it could allow unauthorized access to the dash cam's system, potentially leading to data breaches, device takeover, or other malicious activities, especially since the exploit has been publicly disclosed and the vendor has not responded with a fix.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "Site Title" argument in the "saveOptions" function of the Site Settings component in otale Tale Blog 2.0.5, potentially allowing them to inject malicious code into the website.
This vulnerability is a problem because it can be exploited remotely, allowing an attacker to take control of user sessions, steal sensitive information, or perform other malicious actions on the affected website, and the fact that the vendor has not responded to the disclosure and the product is no longer supported makes it more challenging to address.
The CVE-2025-2339 vulnerability allows for improper authentication in otale Tale Blog version 2.0.5, specifically affecting the /%61dmin/api/logs file, and can be exploited remotely.
This vulnerability is a problem because it enables unauthorized access to the blog's system, potentially leading to sensitive data exposure, malicious activities, or taking control of the blog, and since the exploit has been publicly disclosed, attackers may actively use it to target vulnerable systems.
This vulnerability causes a heap-based buffer overflow in the tbeu matio 1.5.28 software, specifically in the strdup_vprintf function, allowing remote attackers to potentially execute malicious code.
This vulnerability is a problem because it can be exploited remotely, meaning attackers don't need direct access to the system to launch the attack, and the exploit has been publicly disclosed, making it easier for malicious actors to use it.
This vulnerability causes a heap-based buffer overflow in the Mat_VarPrint function of the tbeu matio 1.5.28 software, allowing remote attackers to exploit the issue.
This vulnerability is a problem because it can be initiated remotely, meaning attackers don't need direct access to the system to exploit it, and the exploit has been publicly disclosed, making it more likely to be used by malicious actors, potentially leading to data breaches, system crashes, or other harmful consequences.
The GDPR Cookie Compliance WordPress plugin has a vulnerability that allows high-privilege users, such as admins, to inject malicious code into the plugin's settings, potentially leading to Stored Cross-Site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to inject malicious code, which can be executed by other users, potentially stealing sensitive information, taking control of user sessions, or performing other malicious activities, even in environments where the unfiltered_html capability is restricted.
The GDPR Cookie Compliance WordPress plugin has a vulnerability that allows high-privilege users, such as admins, to perform Stored Cross-Site Scripting attacks by injecting malicious code into the plugin's settings, even when certain security restrictions are in place.
This vulnerability is a problem because it enables attackers to inject malicious code into a website, potentially leading to unauthorized access, data theft, or other malicious activities, even in environments where security measures are supposed to prevent such attacks.
The GDPR Cookie Compliance WordPress plugin has a vulnerability that allows high-privilege users, such as admins, to inject malicious code into the website through stored cross-site scripting attacks, even when certain security restrictions are in place.
This vulnerability is a problem because it enables attackers to inject malicious code into a website, potentially leading to unauthorized access, data theft, or other malicious activities, even in environments where security measures are supposed to prevent such actions.
The GDPR Cookie Compliance WordPress plugin has a vulnerability that allows high-privilege users, such as administrators, to inject malicious code into the website through some of its settings, even when certain security restrictions are in place.
This vulnerability is a problem because it enables Stored Cross-Site Scripting (XSS) attacks, which can lead to unauthorized access, data theft, and other malicious activities on the affected website, potentially compromising user data and website security.
The GDPR Cookie Compliance WordPress plugin, versions before 4.15.7, fails to properly sanitize and escape certain settings, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks.
This vulnerability is a problem because it enables attackers to inject malicious code into a website, potentially leading to unauthorized access, data theft, or other malicious activities, even in environments where high-privilege users are restricted from performing such actions.
The GDPR Cookie Compliance WordPress plugin has a vulnerability that allows high-privilege users, such as admins, to perform Stored Cross-Site Scripting attacks by exploiting unsanitized and unescaped settings.
This vulnerability is a problem because it enables malicious users with admin access to inject harmful code into the website, potentially stealing user data, taking control of user sessions, or defacing the website, even in environments where such capabilities are supposed to be restricted.
The Poll Maker WordPress plugin has a vulnerability that allows high-privilege users, such as admins, to perform Stored Cross-Site Scripting attacks by injecting malicious code into the plugin's settings, even when certain security restrictions are in place.
This vulnerability is a problem because it enables attackers to inject malicious code into a website, potentially leading to unauthorized access, data theft, or other malicious activities, even in environments where security measures are supposed to prevent such actions.
The Download Manager WordPress plugin, version 3.3.07 and earlier, fails to prevent directory listing on web servers that do not use htaccess, allowing unauthorized access to files.
This vulnerability is a problem because it enables unauthorized users to access and potentially download sensitive files, which could lead to data breaches, intellectual property theft, or other malicious activities.
The CVE-2025-24856 vulnerability allows an attacker to take over a user's account in TYPO3 by exploiting a flaw in the OpenID Connect Authentication extension. This happens when an attacker can guess a user's email address, creates a public frontend user account with that email before the user's first OIDC login, and the identity provider returns an email field containing the user's email address.
This vulnerability is a problem because it enables account takeover, allowing attackers to gain unauthorized access to sensitive information and potentially perform malicious actions on behalf of the compromised user.
The CVE-2024-58103 vulnerability occurs in Square Wire versions before 5.2.0, where the software fails to enforce a recursion limit on nested groups in certain components, allowing for potential exploitation.
This vulnerability is a problem because it can lead to a stack overflow, causing the program to crash or potentially allowing an attacker to execute arbitrary code, which can compromise the security and stability of the system.
The CVE-2025-30077 vulnerability allows an attacker to cause an index out-of-range panic in the Open Networking Foundation SD-RAN ONOS onos-lib-go library, specifically in the asn1/aper GetBitString function, by providing a zero value for the number of bits.
This vulnerability is a problem because it can lead to a denial-of-service (DoS) condition, causing the system to crash or become unresponsive, which can disrupt network operations and potentially allow for further exploitation.
The CVE-2025-30076 vulnerability allows administrators to execute arbitrary commands on the Koha system by inserting shell metacharacters into the report parameter in the tools/scheduler.pl file.
This vulnerability is a problem because it enables attackers to gain unauthorized access to the system, potentially leading to data breaches, system compromise, and other malicious activities, by exploiting the ability to execute arbitrary commands.
This vulnerability allows an attacker to gain root access on a macOS system running Alludo Parallels Desktop versions before 19.4.2 and 20.x before 20.2.2, by exploiting a flaw in the virtual machine creation routine.
This is a problem because it enables an attacker to elevate their privileges to root level, giving them complete control over the system, allowing them to access sensitive data, install malware, and perform any action they want, compromising the security and integrity of the system.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the "message" argument in the /api/school/registerSchool API endpoint of Drivin Soluções, potentially executing malicious code on a user's browser.
This vulnerability is a problem because it enables remote attackers to inject malicious scripts into the API, which can lead to unauthorized access, data theft, or other malicious activities, compromising the security and integrity of the system and its users.
The CVE-2022-49737 vulnerability is a race condition in the X.Org X server that occurs when a client application uses easystroke for mouse gestures, allowing the main thread to modify data structures used by the input thread without proper locking.
This vulnerability is a problem because it can cause unpredictable behavior, crashes, or potentially allow an attacker to execute arbitrary code, compromising the security and stability of the system.
This vulnerability allows an attacker to manipulate the "chatListId" argument in the "deleteChat" function of the Chat History Handler, leading to improper access controls and potentially allowing unauthorized deletion of chat history.
This vulnerability is a problem because it enables remote attacks, allowing an attacker to access and delete sensitive chat history without proper authorization, which can lead to data loss and potential security breaches.
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority, indicating that it is no longer a valid or recognized vulnerability.
It's not a problem as the CVE ID is not associated with a legitimate vulnerability, and therefore does not pose a security risk.
The CVE-2025-27281 vulnerability allows an attacker to inject malicious SQL code into the All In Menu plugin, enabling them to extract or modify sensitive data without being detected, due to the improper neutralization of special elements used in SQL commands.
This vulnerability is a problem because it can lead to unauthorized access to sensitive data, modification of database records, and potentially even complete control of the affected system, posing a significant risk to the security and integrity of the data.
This vulnerability allows attackers to inject malicious SQL code into a database by exploiting improper neutralization of special elements in SQL commands, potentially giving them unauthorized access to sensitive data in FS Poster versions up to 6.5.8.
This vulnerability is a problem because it can lead to unauthorized data access, modification, or deletion, and potentially allow attackers to gain control of the affected system, compromising the security and integrity of the data stored in the database.
The CVE-2025-26976 vulnerability allows an attacker to inject malicious SQL code into a database by exploiting improper neutralization of special elements in SQL commands, affecting Aldo Latino PrivateContent versions up to 8.11.4.
This vulnerability is a problem because it enables attackers to access, modify, or extract sensitive data from the database, potentially leading to data breaches, unauthorized access, or disruption of services, which can have severe consequences for the security and integrity of the affected system.
This vulnerability allows an attacker to inject malicious code into a web page, potentially stealing user data or taking control of the user's session, due to improper handling of user input in the PrivateContent plugin.
This vulnerability is a problem because it enables cross-site scripting (XSS) attacks, which can lead to unauthorized access to sensitive information, session hijacking, and other malicious activities, affecting users of the PrivateContent plugin versions 8.11.5 and earlier.
The CVE-2025-26969 vulnerability allows unauthorized access to sensitive information in Aldo Latino PrivateContent due to a missing authorization mechanism, affecting versions up to 8.11.5.
This vulnerability is a problem because it enables unauthorized users to access restricted content, potentially leading to data breaches, sensitive information disclosure, and other security threats, especially given its high severity score of 8.3.
The CVE-2025-26961 vulnerability allows unauthorized access to certain functionalities in the Fresh Framework that should be restricted by Access Control Lists (ACLs), due to a missing authorization check.
This vulnerability is a problem because it enables attackers to access and potentially exploit sensitive features or data that were meant to be protected, which could lead to security breaches, data theft, or other malicious activities.
The CVE-2025-26940 vulnerability allows an attacker to traverse the file system of a website using the Pie Register Premium plugin, potentially accessing sensitive files and directories that are not intended to be public.
This vulnerability is a problem because it can give an attacker unauthorized access to sensitive information, such as configuration files, user data, or other confidential information, which can be used for malicious purposes like identity theft, data breaches, or further exploitation of the system.
The CVE-2025-26924 vulnerability allows an attacker to inject malicious code into the NotFound Ohio Extra system, potentially giving them control over the system's behavior.
This vulnerability is a problem because it enables attackers to execute arbitrary code, which could lead to unauthorized access, data theft, or disruption of service, ultimately compromising the security and integrity of the system.
The CVE-2025-26921 vulnerability allows an attacker to inject malicious objects into the Booking and Rental Manager system by exploiting a deserialization of untrusted data flaw, potentially leading to unauthorized access and control.
This vulnerability is a problem because it enables attackers to execute arbitrary code, access sensitive data, and disrupt the system's functionality, posing a significant risk to the security and integrity of the affected system, especially given its high severity score of 8.8.
The CVE-2025-26899 vulnerability allows an attacker to trick a user into performing unintended actions on a website using Cross-Site Request Forgery (CSRF) on the Recapture Cart Recovery and Email Marketing Recapture for WooCommerce plugin, versions 1.0.43 and below.
This vulnerability is a problem because it enables an attacker to manipulate user interactions, potentially leading to unauthorized access, data modification, or other malicious activities, which can compromise the security and integrity of the affected website and its users.
The CVE-2025-26895 vulnerability allows an attacker to inject malicious code into a web page through a technique known as DOM-Based Cross-site Scripting (XSS) in the m1.DownloadList application, specifically affecting versions from unknown to 0.19.
This vulnerability is a problem because it enables attackers to execute malicious scripts on a user's browser, potentially leading to unauthorized access to sensitive information, session hijacking, or other malicious activities, compromising the security and privacy of users interacting with the affected application.
This vulnerability allows an attacker to inject malicious SQL code into a database using the PublishPress Authors plugin, potentially giving them access to sensitive data.
This vulnerability is a problem because it can lead to unauthorized access to a website's database, allowing attackers to steal or modify sensitive information, disrupt the website's functionality, or take control of the entire system.
The CVE-2025-26875 vulnerability allows an attacker to inject malicious SQL code into a database, potentially giving them unauthorized access to sensitive information, due to improper neutralization of special elements in SQL commands in the Multiple Shipping And Billing Address For Woocommerce plugin.
This vulnerability is a significant problem because it can lead to unauthorized data access, modification, or deletion, and potentially even allow attackers to gain control of the entire system, resulting in severe security breaches and data losses.
The CVE-2025-26556 vulnerability allows an attacker to inject malicious code into a website using the zzmaster WP AntiDDOS plugin, which can lead to Reflected Cross-site Scripting (XSS) attacks. This means an attacker can trick a user into clicking a link or visiting a website that executes the malicious code, potentially stealing user data or taking control of the user's session.
This vulnerability is a problem because it can be used by attackers to steal sensitive user information, such as login credentials or personal data, or to take control of a user's session, allowing them to perform unauthorized actions on the website. The severity score of 7.1 indicates that this is a relatively high-risk vulnerability.
The CVE-2025-26555 vulnerability allows an attacker to inject malicious code into a web page through a reflected Cross-site Scripting (XSS) attack, exploiting the Debug-Bar-Extender's improper neutralization of input during web page generation.
This vulnerability is a problem because it enables attackers to trick users into executing malicious scripts, potentially leading to unauthorized access, data theft, or other malicious activities, affecting users who interact with the vulnerable web page.
This vulnerability allows an attacker to inject malicious code into a website using the WP Discord Post plugin, which can lead to Reflected Cross-site Scripting (XSS) attacks. This means an attacker can trick a user into clicking a link that executes malicious code on the website.
This vulnerability is a problem because it can be used by attackers to steal user data, take control of user sessions, or perform other malicious actions on the affected website. The severity score of 7.1 indicates that this is a significant vulnerability that should be addressed promptly.
The CVE-2025-26553 vulnerability allows an attacker to inject malicious code into a website using the Spring Devs Pre Order Addon for WooCommerce plugin, enabling Reflected Cross-site Scripting (XSS) attacks. This occurs due to improper neutralization of input during web page generation.
This vulnerability is a problem because it enables attackers to trick users into executing malicious code, potentially leading to unauthorized access, data theft, or other malicious activities on the affected website.
The CVE-2025-26548 vulnerability allows an attacker to inject malicious code into a website using the Random Image Selector, potentially stealing user data or taking control of user sessions, through a reflected Cross-site Scripting (XSS) attack.
This vulnerability is a problem because it enables attackers to trick users into executing malicious code, which can lead to unauthorized access to sensitive information, session hijacking, or other malicious activities, ultimately compromising the security and privacy of users interacting with the affected website.
The CVE-2025-23744 vulnerability allows an attacker to inject malicious code into a website through the dvs11 Random Posts, Mp3 Player + ShareButton plugin, enabling reflected Cross-site Scripting (XSS) attacks.
This vulnerability is a problem because it can be used by attackers to steal user data, take control of user sessions, or redirect users to malicious websites, ultimately compromising the security and privacy of users interacting with the affected website.
This vulnerability allows an authenticated attacker with administrator privileges to gain Super Admin permissions in Joomla's Hikashop component, versions 1.0.0-5.1.3.
This vulnerability is a problem because it enables an attacker to escalate their privileges, potentially gaining unrestricted access to the system and allowing them to perform malicious actions, such as modifying sensitive data, installing malware, or disrupting the system's functionality.
This vulnerability affects the "updateQuestionCou" function in the Number of Question Handler component, allowing remote attackers to manipulate and enforce behavioral workflows.
This vulnerability is a problem because it can be exploited remotely, potentially allowing attackers to disrupt or alter the intended behavior of the application, which could lead to unintended consequences or security breaches.
This vulnerability allows an attacker to exploit hard-coded credentials in the OpenController.java file of the springboot-openai-chatgpt application, which can be initiated remotely.
This is a problem because hard-coded credentials can be accessed by unauthorized users, allowing them to gain unauthorized access to the application and potentially leading to data breaches, unauthorized data modifications, or other malicious activities.
This CVE (CVE-2025-2333) was issued in error and has been rejected, with all relevant information removed to prevent accidental usage.
It's not a problem as it was never a valid vulnerability, but using or referencing it could cause confusion.
This vulnerability allows an attacker to manipulate the "chatUserID" argument in the /api/mjkj-chat/cgform-api/addData/ endpoint, leading to business logic errors that can be exploited remotely.
This vulnerability is a problem because it can be used to disrupt the normal functioning of the application, potentially allowing attackers to manipulate or extract sensitive data, and it can be exploited remotely, making it accessible to a wide range of potential attackers.
The GiveWP plugin for WordPress has a vulnerability that allows unauthorized access to sensitive data, specifically earnings reports, due to a missing capability check in the give_reports_earnings() function.
This vulnerability is a problem because it enables unauthenticated attackers to disclose sensitive information, potentially compromising the security and privacy of the organization's financial data.
The Tripetto plugin for WordPress has a vulnerability that allows attackers to trick site administrators into performing unintended actions, such as deleting results, by sending forged requests to the site.
This vulnerability is a problem because it enables unauthenticated attackers to manipulate the site's data without permission, potentially leading to data loss or other malicious activities, by exploiting the lack of proper validation in the plugin.
A flaw in Keylime, a remote attestation solution, causes the registrar to fail when processing agent registration requests due to a type mismatch between older and newer versions, where older versions store data as bytes and newer versions expect it as a string.
This vulnerability is a problem because it prevents the registrar from reading database entries created by previous versions, leading to exceptions and agent registration failures, which can disrupt the functionality of Keylime and potentially compromise the security of the system.
The WP Test Email plugin for WordPress allows attackers to inject arbitrary web scripts into email logs due to poor input validation, which can lead to the execution of malicious scripts when a user accesses the affected page.
This vulnerability is a problem because it enables unauthenticated attackers to inject malicious code into pages, potentially leading to unauthorized access, data theft, or other malicious activities, all without the need for authentication.
This vulnerability allows low-privileged users to access and monitor temporary files in the /var/tmp directory, potentially exposing sensitive information such as system passwords stored in /etc/shadow.
This issue is a problem because it can lead to unauthorized access to sensitive system information, which can result in information disclosure and potentially allow attackers to escalate their privileges, gaining greater control over the system.
The Thumbnail carousel slider plugin for WordPress has a vulnerability that allows attackers to inject malicious SQL code into the database by manipulating the 'id' parameter, potentially extracting sensitive information.
This vulnerability is a problem because it enables unauthenticated attackers to access and extract sensitive data from the database, which could lead to security breaches and compromised user information.
The CVE-2025-30066 vulnerability allows remote attackers to read actions logs in tj-actions changed-files versions up to 45.0.7, potentially exposing sensitive information, including secrets.
This vulnerability is a problem because it enables unauthorized access to sensitive data, which could lead to further security breaches, data theft, or other malicious activities, compromising the confidentiality and security of the affected systems.
The Traveler theme for WordPress has a vulnerability that allows attackers to inject malicious scripts into website pages by manipulating certain parameters, due to inadequate input cleaning and output protection.
This vulnerability is a problem because it enables unauthenticated attackers to execute arbitrary web scripts on a user's browser, potentially leading to unauthorized actions, data theft, or other malicious activities, if they can trick a user into clicking on a malicious link.
The Traveler theme for WordPress has a vulnerability that allows attackers to include and execute arbitrary files on the server, which can lead to the execution of any PHP code in those files, by exploiting the 'style' parameter in the 'hotel_alone_load_more_post' function.
This vulnerability is a problem because it enables unauthenticated attackers to bypass access controls, obtain sensitive data, or achieve code execution, potentially leading to significant security breaches and data compromises.
The Tripetto plugin for WordPress, used for creating forms, surveys, and quizzes, has a vulnerability that allows attackers to upload files containing malicious scripts, which can then be executed when a user accesses the uploaded file.
This vulnerability is a problem because it enables unauthenticated attackers to inject arbitrary web scripts into pages, potentially leading to unauthorized access, data theft, or other malicious activities, all without needing to login to the WordPress site.
The WP01 plugin for WordPress allows attackers with Subscriber-level access or higher to download arbitrary files from the server, due to a lack of proper capability checks and insufficient restrictions on the make_archive() function.
This vulnerability is a problem because it enables authenticated attackers to access and read sensitive information stored in files on the server, which could include confidential data, passwords, or other security-related information.
The pixelstats plugin for WordPress has a vulnerability that allows attackers to inject arbitrary web scripts into pages through the 'post_id' and 'sortby' parameters, due to insufficient input sanitization and output escaping, which can be triggered by tricking a user into clicking on a malicious link.
This vulnerability is a problem because it enables unauthenticated attackers to execute malicious scripts on a user's browser, potentially leading to unauthorized access, data theft, or other malicious activities, without requiring the attacker to have any login credentials.
The Zoorum Comments plugin for WordPress has a vulnerability that allows attackers to trick site administrators into performing unintended actions, such as updating settings or injecting malicious scripts, by sending forged requests.
This vulnerability is a problem because it enables unauthenticated attackers to manipulate the site's settings and potentially inject malicious code, which could lead to security breaches, data theft, or other harmful consequences, all without needing to authenticate themselves.
The WPSchoolPress plugin for WordPress has a vulnerability that allows attackers to inject malicious SQL code into the database by manipulating the 'cid' parameter, potentially extracting sensitive information.
This vulnerability is a problem because it enables authenticated attackers with Custom-level access or higher to access and extract sensitive data from the database, which could lead to unauthorized data breaches and compromise the security of the school management system.
The School Management System – WPSchoolPress plugin for WordPress has a vulnerability that allows attackers to inject malicious SQL code into the database through the 'addNotify' action, potentially extracting sensitive information.
This vulnerability is a problem because it enables authenticated attackers with teacher-level access or higher to access and extract sensitive data from the database, which could lead to unauthorized data disclosure and potentially harm the school, students, or staff.
The School Management System – WPSchoolPress plugin for WordPress has a vulnerability that allows authenticated attackers with teacher-level access or higher to delete any user account, due to a missing capability check in the user deletion function.
This vulnerability is a problem because it enables attackers to remove users from the system, potentially disrupting the functionality of the school management system, causing data loss, and affecting the overall security and integrity of the platform.
The School Management System – WPSchoolPress plugin for WordPress has a vulnerability that allows authenticated attackers with teacher-level access to update any user's details, including their email address, which can be used to reset passwords and gain access to other accounts.
This vulnerability is a problem because it enables attackers to escalate their privileges and gain unauthorized access to sensitive user accounts, including those of administrators, potentially leading to data breaches, identity theft, and other malicious activities.
The Portfolio and Projects plugin for WordPress allows attackers with Administrator-level permissions to inject arbitrary web scripts into pages due to insufficient input sanitization and output escaping, which can execute whenever a user accesses the injected page.
This vulnerability is a problem because it enables authenticated attackers to inject malicious scripts, potentially leading to unauthorized access, data theft, or other malicious activities, especially in multi-site installations or where unfiltered_html has been disabled.
The WC Affiliate plugin for WordPress has a vulnerability that allows authenticated attackers with Subscriber-level access or higher to access sensitive affiliate data, including personally identifiable information (PII), without proper authorization.
This vulnerability is a problem because it can lead to the exposure of sensitive information, potentially compromising the privacy and security of individuals associated with the affiliate program, and could be used for malicious purposes such as identity theft or phishing.
The Directory Listings WordPress plugin (uListing) has a vulnerability that allows attackers with subscriber-level access or higher to modify data and inject PHP objects without proper authorization, due to a missing capability check in the stm_listing_ajax AJAX action.
This vulnerability is a problem because it enables authenticated attackers to update sensitive post meta data and inject malicious PHP objects, which can lead to unauthorized access, data tampering, and potentially even code execution, compromising the security and integrity of the WordPress site.
The Directory Listings WordPress plugin (uListing) has a vulnerability that allows authenticated attackers with Subscriber-level access or higher to update user metadata without proper restrictions, potentially elevating their privileges to that of an administrator.
This vulnerability is a problem because it enables low-privileged users to gain administrative access, which can lead to unauthorized changes, data breaches, and full control over the affected WordPress site, compromising its security and integrity.
This vulnerability allows an attacker to exploit the "submit" function in the User Handler component of the springboot-openai-chatgpt application, leading to improper authorization, which can be done remotely.
This is a problem because it enables unauthorized access to the application, potentially allowing attackers to perform actions that they should not be able to, which can lead to data breaches, system compromise, or other malicious activities.
This vulnerability allows an attacker to cause an integer overflow or wraparound in the EDK2 BIOS via network exploitation, potentially leading to a denial of service.
This vulnerability is a problem because it can be exploited by attackers to disrupt the normal functioning of the system, resulting in a denial of service, which can lead to system unavailability and potential data loss.
This vulnerability, found in HDF5 version 1.14.6, allows for a heap-based buffer overflow due to a flaw in the H5MM_strndup function, which is part of the Metadata Attribute Decoder component. This can be exploited locally.
This issue is problematic because it could potentially be used by an attacker to overflow a buffer on the heap, leading to arbitrary code execution or other malicious activities, which could compromise the security and integrity of the affected system.
The CVE-2025-2309 vulnerability is a heap-based buffer overflow issue in the HDF5 1.14.6 library, specifically in the H5T__bit_copy function of the Type Conversion Logic component, which can be exploited by an attacker with local access.
This vulnerability is a problem because it can be used by an attacker to potentially execute arbitrary code, causing harm to the system or stealing sensitive information, and the fact that the exploit has been publicly disclosed makes it easier for attackers to use it.
The CVE-2025-2308 vulnerability is a critical issue in HDF5 1.14.6 that affects the Scale-Offset Filter component, specifically the H5Z__scaleoffset_decompress_one_byte function, leading to a heap-based buffer overflow when manipulated locally.
This vulnerability is a problem because it can be exploited by an attacker to potentially execute arbitrary code or cause a denial-of-service, allowing them to disrupt or take control of the affected system, which can have serious consequences for data integrity and security.
This vulnerability allows attackers to inject malicious scripts into a specific parameter in the WeGIA application, which are then stored on the server and executed automatically when the affected page is accessed by users.
This is a problem because it enables attackers to perform unauthorized actions on the application, potentially leading to data theft, modification, or other malicious activities, posing a significant security risk to users of the WeGIA application.
The HtmlSanitizer package has a cross-site scripting vulnerability that occurs when it's used with a `contentEditable` element to set the element's `innerHTML` to a sanitized string, allowing specially crafted code to bypass sanitation and potentially execute malicious scripts.
This vulnerability is a problem because it can allow attackers to inject malicious code into a website, potentially leading to unauthorized access, data theft, or other malicious activities, despite the use of a sanitizer intended to prevent such attacks.
The CVE-2025-29780 vulnerability is a timing side-channel attack that affects the Post-Quantum Secure Feldman's Verifiable Secret Sharing library, specifically in its matrix operations. This vulnerability allows an attacker to potentially recover secret information used in the Verifiable Secret Sharing scheme by measuring the execution time of certain functions.
This vulnerability is a problem because it could allow an attacker to extract sensitive information, such as secret keys, by exploiting the timing differences in the execution of certain functions. This could lead to a complete compromise of the shared secret, making it a significant security risk.
The CVE-2025-29779 vulnerability affects the Post-Quantum Secure Feldman's Verifiable Secret Sharing Python implementation, specifically the `secure_redundant_execution` function, which is designed to prevent fault injection attacks. However, due to limitations in Python's execution environment and implementation, an attacker can bypass the redundancy check mechanisms, extract secret polynomial coefficients, force acceptance of invalid shares, or manipulate commitment verification.
This vulnerability is a problem because it undermines the core security guarantees of the Verifiable Secret Sharing scheme, allowing attackers with physical access to the hardware to launch targeted fault injection attacks and compromise the security of the system.
This vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks, potentially altering critical identity or access control attributes.
This is a problem because it enables an attacker to bypass authentication or authorization mechanisms, escalate privileges, or impersonate another user, which can lead to unauthorized access and malicious activities.
The CVE-2025-26312 vulnerability allows an attacker to bypass the CAPTCHA security feature on SendQuick Entera devices with versions before 11HF5 by manipulating the captcha parameter.
This vulnerability is a problem because it enables attackers to automate tasks or gain unauthorized access to the device, potentially leading to security breaches, data theft, or other malicious activities, as the CAPTCHA is intended to prevent automated attacks.
This vulnerability allows an authenticated attacker to write a file with controlled contents to any location on the server's file system, potentially enabling remote code execution (RCE) on the web server running the application.
This vulnerability is a problem because it can be exploited by an attacker to run arbitrary commands on the server's operating system, giving them control over the system and potentially leading to data breaches, malware installation, or other malicious activities.
The CVE-2024-54448 vulnerability allows attackers to run arbitrary system commands on the underlying operating system of a web server running LogicalDOC by exploiting the Automation Scripting functionality, but only if they have an account with administrator privileges or explicit access to Automation Scripting.
This vulnerability is a problem because it enables attackers to execute commands of their choice on the underlying operating system, potentially leading to unauthorized access, data breaches, or system compromise.
The saved search functionality in a system contains a blind SQL injection vulnerability that allows authenticated attackers to exploit it, potentially disclosing all database contents using a time-based technique.
This vulnerability is a problem because it can lead to unauthorized access to sensitive database information, and in some cases, allow attackers to take over accounts, depending on the data stored in certain database tables.
This vulnerability allows an authenticated attacker to exploit a blind SQL injection in the document history functionality, potentially disclosing all database contents using a time-based technique.
This vulnerability is a problem because it can lead to unauthorized access to sensitive database information, and in some cases, account takeover, depending on the data stored in certain database tables.
This vulnerability allows an attacker to exploit a blind SQL injection in the login functionality, potentially disclosing all database contents without needing to be authenticated.
This is a problem because it could lead to account takeover, depending on the data stored in the database, and poses a significant risk to the security and confidentiality of the system's data.
This vulnerability allows a remote attacker to execute arbitrary code on a server by manipulating the Content-Type header when uploading a file to a NestJS application running version 10.3.2.
This is a problem because it enables attackers to run malicious code on the server, potentially leading to data breaches, system compromise, or other security threats, giving them control over sensitive information and system resources.
This vulnerability allows an attacker to exploit a blind SQL injection in the logout functionality, potentially disclosing all database contents using a time-based technique, and possibly leading to account takeover.
This vulnerability is a problem because it enables unauthenticated attackers to access sensitive database information, which could include user credentials or other confidential data, potentially allowing them to take control of accounts.
This vulnerability allows an attacker to perform a reflected cross-site scripting (XSS) attack within certain JSP files used to control the appearance of the LogicalDOC Enterprise application, potentially tricking a user into clicking a malicious link that triggers the vulnerability.
This vulnerability is a problem because it could be used to deceive users into performing unintended actions on the website without their knowledge, although it cannot be used to steal session cookies due to existing security flags.
This vulnerability allows an authenticated attacker with 'read' and 'download' privileges on at least one document to access and read the contents of files on the underlying operating system, potentially exposing sensitive information.
This vulnerability is a problem because it enables an attacker to bypass normal access controls and read any file that the system user running the application has access to, which could include confidential data, system configuration files, or other sensitive information.
The CVE-2025-29774 vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks, potentially altering critical identity or access control attributes.
This vulnerability is a problem because it enables an attacker to bypass authentication or authorization mechanisms, escalate privileges, or impersonate another user, which can lead to unauthorized access and potentially harmful actions.
This vulnerability allows an attacker to overflow the stack in the Tenda AC9 router's system by manipulating the wanSpeed parameter, potentially leading to remote execution of arbitrary code.
This is a problem because it enables hackers to run malicious code on the router, giving them control over the device and potentially allowing them to steal sensitive information, disrupt network traffic, or use the router as a launching point for further attacks.
The CVE-2025-29386 vulnerability is a stack overflow issue in the Tenda AC9 v1.0 V15.03.05.14_multi router, specifically in the mac parameter of the /goform/AdvSetMacMtuWan endpoint, which allows remote attackers to execute arbitrary code.
This vulnerability is a problem because it enables remote attackers to take control of the affected router, potentially leading to unauthorized access, data theft, and other malicious activities, compromising the security and integrity of the network.
The CVE-2025-29385 vulnerability allows an attacker to overflow the stack in the Tenda AC9 router's firmware, specifically in the /goform/AdvSetMacMtuWan endpoint, by manipulating the cloneType parameter, potentially leading to remote execution of arbitrary code.
This vulnerability is a problem because it could enable an attacker to gain control over the affected router, allowing them to execute malicious code, steal sensitive information, or disrupt the network, which can compromise the security and integrity of the device and the connected network.
The CVE-2025-29384 vulnerability allows an attacker to overflow the stack in the Tenda AC9 router's wanMTU parameter, potentially leading to remote arbitrary code execution.
This vulnerability is a problem because it enables attackers to execute malicious code on the affected router, giving them control over the device and potentially allowing them to steal sensitive information, disrupt network traffic, or spread malware.
The Element Android app fails to log out a user after entering an incorrect PIN more than the allowed number of times, potentially allowing an attacker with physical access to the device to guess the PIN.
This vulnerability is a problem because it enables an attacker with physical access to the device to attempt to guess the PIN repeatedly, potentially gaining unauthorized access to the user's account and sensitive information.
This CVE (CVE-2025-26216) was initially reported but later withdrawn by its CNA after further investigation revealed it was not a security issue.
It's not a problem, as the reported issue was found to be non-security related, posing no risk to systems or data.
This CVE (CVE-2025-26215) was initially reported but later withdrawn by its CNA after further investigation revealed it was not a security issue.
It is not a problem, as the reported issue was found to be non-security related, posing no risk to users.
The Leica Web Viewer in the Aperio Eslide Manager Application has a vulnerability that allows an authenticated user to inject malicious JavaScript code into the "memo" field of a project slide, which can be executed when a user hovers over the field to view the memo.
This vulnerability is a problem because it enables attackers to execute arbitrary JavaScript code, potentially allowing them to steal user data, take control of user sessions, or perform other malicious actions, which can compromise the security and integrity of the application and its users.