Total
5529 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3561 | 1 Ghostxbh | 1 Uzy-ssm-mall | 2025-10-10 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in ghostxbh uzy-ssm-mall 1.0.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-34146 | 1 Jenkins | 1 Git Server | 2025-10-10 | N/A | 6.5 MEDIUM |
| Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH, allowing attackers with a previously configured SSH public key but lacking Overall/Read permission to access these repositories. | |||||
| CVE-2024-52549 | 1 Jenkins | 1 Script Security | 2025-10-10 | N/A | 4.3 MEDIUM |
| Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system. | |||||
| CVE-2024-44069 | 1 Pi-hole | 1 Pi-hole | 2025-10-10 | N/A | 7.5 HIGH |
| Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. NOTE: the supplier reportedly does "not consider the bug a security issue" but the specific motivation for letting arbitrary persons change the value (Celsius, Fahrenheit, or Kelvin), seen by the device owner, is unclear. | |||||
| CVE-2017-6369 | 1 Firebirdsql | 1 Firebird | 2025-10-10 | 6.5 MEDIUM | 8.8 HIGH |
| Insufficient checks in the UDF subsystem in Firebird 2.5.x before 2.5.7 and 3.0.x before 3.0.2 allow remote authenticated users to execute code by using a 'system' entrypoint from fbudf.so. | |||||
| CVE-2025-51308 | 1 Gatling | 1 Gatling | 2025-10-09 | N/A | 5.3 MEDIUM |
| In Gatling Enterprise versions below 1.25.0, a low-privileged user that does not hold the role "admin" could perform a REST API call on read-only endpoints, allowing him to collect some information, due to missing authorization checks. | |||||
| CVE-2025-11439 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in JhumanJ OpnForm up to 1.9.3. This issue affects some unknown processing of the file /show/integrations. Performing manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 11d97d78f2de2cb49f79baed6bde8b611ec1f384. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2025-11438 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is beb153ce52dceb971c1518f98333328c95f1ba20. It is best practice to apply a patch to resolve this issue. | |||||
| CVE-2025-11442 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A security flaw has been discovered in JhumanJ OpnForm up to 1.9.3. The impacted element is an unknown function of the component API Endpoint. The manipulation results in cross-site request forgery. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor has stated that API calls require authentication through Authorization Bearer Tokens, so classic CSRF attacks do not apply here. An attacker would need to possess the JWT through means such as XSS which were mitigated, disabling any form of initial access. | |||||
| CVE-2025-3257 | 1 Xujiangfei | 1 Admintwo | 2025-10-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in xujiangfei admintwo 1.0. This affects an unknown part of the file /user/updateSet. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-10352 | 2025-10-08 | N/A | N/A | ||
| Vulnerability in the melis-core module of Melis Technology's Melis Platform, which, if exploited, allows an unauthenticated attacker to create an administrator account via a request to '/melis/MelisCore/ToolUser/addNewUser'. | |||||
| CVE-2025-59826 | 1 Flagforge | 1 Flagforge | 2025-10-08 | N/A | 7.6 HIGH |
| Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, non-admin users can create arbitrary challenges, potentially introducing malicious, incorrect, or misleading content. This issue has been patched in version 2.2.0. | |||||
| CVE-2025-59827 | 1 Flagforge | 1 Flagforge | 2025-10-08 | N/A | 9.8 CRITICAL |
| Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, the /api/admin/assign-badge endpoint lacks proper access control, allowing any authenticated user to assign high-privilege badges (e.g., Staff) to themselves. This could lead to privilege escalation and impersonation of administrative roles. This issue has been patched in version 2.2.0. | |||||
| CVE-2025-11029 | 1 Vvveb | 1 Vvveb | 2025-10-07 | 5.0 MEDIUM | 4.3 MEDIUM |
| A weakness has been identified in givanz Vvveb up to 1.0.7.2. This vulnerability affects unknown code. Executing manipulation can lead to cross-site request forgery. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release." | |||||
| CVE-2025-9194 | 2025-10-06 | N/A | 4.3 MEDIUM | ||
| The Constructor theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clean() function in all versions up to, and including, 1.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a theme clean. | |||||
| CVE-2025-9243 | 2025-10-06 | N/A | 8.1 HIGH | ||
| The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status. | |||||
| CVE-2025-9029 | 2025-10-06 | N/A | 4.3 MEDIUM | ||
| The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services. | |||||
| CVE-2025-11228 | 2025-10-06 | N/A | 5.3 MEDIUM | ||
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign. | |||||
| CVE-2025-10212 | 2025-10-06 | N/A | 5.3 MEDIUM | ||
| The SiteAlert (Formerly WP Health) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.9.8. This makes it possible for unauthenticated attackers to view the site health information, including a list of installed and outdated plugins, PHP and Database version, etc. | |||||
| CVE-2025-57971 | 2025-10-04 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in SALESmanago SALESmanago & Leadoo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SALESmanago & Leadoo: from n/a through 3.8.1. | |||||