CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-9804 An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user... | 9.6 | CRITICAL | β | 0 |
| CVE-2025-53092 Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the val... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-61789 Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protec... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-34514 Ilevia EVE X1 Server firmware versions β€ 4.7.18.0.eden contain authenticated OS command injection vulnerabilities in multiple web-accessible PHP scripts that call exec() and allow an authenticated att... | 8.8 | HIGH | β | 0 |
| CVE-2025-43409 A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.2, macOS Tahoe 26.1. An app may be able to access sensitive user data. | 5.5 | MEDIUM | β | 0 |
| CVE-2025-61907 Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would oth... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-61908 Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, when creating an invalid reference, such as a reference to null, dereferencing results in a segmentatio... | 6.5 | MEDIUM | β | 0 |
| CVE-2017-20208 The RegistrationMagic β Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via d... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-10006 The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rev_slider_vc' shortcode in all versions up to, and including, 8.6 due to insufficient inp... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-11979 An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects Mongo... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-62250 Improper Authentication in Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through upda... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-62509 FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRiseβs file/folder handling allows low-priv... | 8.1 | HIGH | β | 0 |
| CVE-2025-62510 FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In version 1.4.0, a regression allowed folder visibility/ownership to be inferred from folder na... | 8.1 | HIGH | β | 0 |
| CVE-2025-60783 There is a SQL injection vulnerability in Restaurant Management System DBMS Project v1.0 via login.php. The vulnerability allows attackers to manipulate the application's database through specially cr... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-11624 Potential stack buffer overwrite on the SFTP server side when receiving a malicious packet that has a handle size larger than the system handle or file descriptor size, but smaller than max handle siz... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-11625 Improper host authentication vulnerability in wolfSSH version 1.4.20 and earlier clients that allows authentication bypass and leaking of clients credentials. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-22166 This High severity DoS (Denial of Service) vulnerability was introduced in version 2.0 of Confluence Data Center. This DoS (Denial of Service) vulnerability, with a CVSS Score of 8.3, allows an att... | 7.5 | HIGH | β | 0 |
| CVE-2025-62605 Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon version 4.4, support for verifiable quote posts with quote controls was added, but it is possible for an attacke... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-62763 Zimbra Collaboration (ZCS) before 10.1.12 allows SSRF because of the configuration of the chat proxy. | 5.0 | MEDIUM | β | 0 |
| CVE-2025-62249 A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1... | 6.1 | MEDIUM | β | 0 |
| CVE-2009-3448 npvmgr.exe in BakBone NetVault Backup 8.22 Build 29 allows remote attackers to cause a denial of service (daemon crash) via a packet to (1) TCP or (2) UDP port 20031 with a large value in an unspecifi... | N/A | NONE | β | 0 |
| CVE-2025-22167 This High severity Path Traversal (Arbitrary Write) vulnerability was introduced in versions: 9.12.0, 10.3.0 and remain present in 11.0.0 of Jira Software Data Center and Server. This Path Traversal (... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-10588 The PixelYourSite β Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorr... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-11411 NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used t... | N/A | NONE | β | 0 |
| CVE-2025-11957 Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of oth... | 8.4 | HIGH | β | 0 |
| CVE-2025-11958 An improper input validation in the Security Dashboard ignored-tasks API of Devolutions Server 2025.2.15.0 and earlier allows an authenticated user to cause a denial of service to the Security Dashboa... | 4.1 | MEDIUM | β | 0 |
| CVE-2025-62248 A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.... | 4.8 | MEDIUM | β | 0 |
| CVE-2025-62247 Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-47732 Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network. | 8.7 | HIGH | β | 0 |
| CVE-2025-8427 The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βauto_playβ parameter in all versions up to, and including, 2.9.2.1 due to insuffi... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-11429 A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain t... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-12110 A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new token... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-59048 OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is vulnerable to cross-account IAM role Impersonation in the AWS auth method. The vu... | 8.1 | HIGH | β | 0 |
| CVE-2025-62255 Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-5350 SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs... | 5.9 | MEDIUM | β | 0 |
| CVE-2025-5605 An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication ... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-52099 Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-29088. Reason: This record is a duplicate of CVE-2025-29088. Notes: All CVE users should reference CVE-2025-29088 instead of this reco... | N/A | NONE | β | 0 |
| CVE-2025-11823 The ShopLentor β WooCommerce Builder for Elementor & Gutenberg +21 Modules β All in One Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_exist_text' parameter... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-11564 The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-6680 The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authen... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-62893 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2025-62908 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2025-12761 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi st... | 3.5 | LOW | β | 0 |
| CVE-2025-11154 The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users. | 5.4 | MEDIUM | β | 0 |
| CVE-2023-49440 AhnLab EPP 1.0.15 is vulnerable to SQL Injection via the "preview parameter." | 8.8 | HIGH | β | 0 |
| CVE-2025-32785 Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions prior to 6.3 are vulnerable t... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-36007 IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 13 Independent Fix 02 is vulnerable to privilege escalation due to improper privilege assignment to an update script. | 7.8 | HIGH | β | 0 |
| CVE-2025-36138 IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 13 Independent Fix 02 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-36170 IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 13 Independent Fix 02 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-53533 Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnera... | 6.1 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.