| DataType | ProblemTypes | Impact | Publishdate | |
|---|---|---|---|---|
Threat detailsThe Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘aria-label’ parameter in all versions up to, and including, 3.98.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ssa_admin_upcoming_appointments, ssa_admin_upcoming_appointments, and ssa_past_appointments shortcodes in all versions up to, and including, 1.6.8.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe Easy Flashcards plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the 'ef_settings_submenu' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | CVE | CWE-79 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe Restrict File Access plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.2 via the output() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | CVE | CWE-22 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe AI Image Lab – Free AI Image Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the 'wpz-ai-images' page. This makes it possible for unauthenticated attackers to update the plugin's API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | CVE | CWE-352 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe Click to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-no_number’ parameter in all versions up to, and including, 4.22 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘status-classic-offline-text’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe UserPro - Community and User Profile WordPress Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 5.1.10 via the userpro_fbconnect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | CVE | CWE-22 | NETWORK: HIGH | 06-14-2025 |
Threat detailsThe Zen Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing or incorrect nonce validation on the 'zen-social-sticky/zen-sticky-social.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | CVE | CWE-352 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe Image Resizer On The Fly plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete' task in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | CVE | CWE-22 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe kk Youtube Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kkytv' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe Zagg - Electronics & Accessories WooCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.1 via the load_view() function that is called via at least three AJAX actions: 'load_more_post', 'load_shop', and 'load_more_product. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | CVE | CWE-98 | NETWORK: HIGH | 06-14-2025 |
Threat detailsThe WP URL Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the 'url_shortener_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | CVE | CWE-352 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe XiSearch bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6. This is due to missing or incorrect nonce validation on the 'xisearch-key-config' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | CVE | CWE-352 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe Yougler Blogger Profile Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, v1.01. This is due to missing or incorrect nonce validation on the 'yougler-plugin.php' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | CVE | CWE-352 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the field_conditions parameter in all versions up to, and including, 5.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Administrators can configure the plugin to allow access to this functionality to authors and higher. | CVE | CWE-89 | NETWORK: LOW | 06-14-2025 |
Threat detailsThe File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.8.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Administrators have the ability to extend file manager usage privileges to lower-level users including subscribers, which would make this vulnerability more severe on such sites. | CVE | CWE-434 | NETWORK: LOW | 06-14-2025 |
Threat detailsRejected reason: Not used
| CVE | LOW | 06-14-2025 | |
Threat detailsRejected reason: Not used
| CVE | LOW | 06-14-2025 | |
Threat detailsRejected reason: Not used
| CVE | LOW | 06-14-2025 | |
Threat detailsRejected reason: Not used
| CVE | LOW | 06-14-2025 | |
Threat detailsRejected reason: Not used
| CVE | LOW | 06-14-2025 | |
Threat detailsRejected reason: Not used
| CVE | LOW | 06-14-2025 | |
Threat detailsRejected reason: Not used
| CVE | LOW | 06-14-2025 | |
Threat detailsRejected reason: Not used
| CVE | LOW | 06-14-2025 | |
Threat detailsThe Seraphinite Accelerator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.27.21. This is due to missing or incorrect nonce validation on the 'OnAdminApi_CacheOpBegin' function. This makes it possible for unauthenticated attackers to perform several administrative actions, including deleting the cache, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | CVE | CWE-352 | NETWORK: LOW | 06-14-2025 |
Threat detailsRejected reason: Not used
| CVE | LOW | 06-14-2025 | |
Threat detailsIBM Backup, Recovery and Media Services for i 7.4 and 7.5 could allow a user with the capability to compile or restore a program to gain elevated privileges due to a library unqualified call made by a BRMS program. A malicious actor could cause user-controlled code to run with component access to the host operating system. | CVE | CWE-250 | NETWORK: HIGH | 06-14-2025 |
Threat detailsIn ExtremeCloud Universal ZTNA, a syntax error in the 'searchKeyword' condition caused queries to bypass the owner_id filter. This issue may allow users to search data across the entire table instead of being restricted to their specific owner_id. | CVE | HIGH | 06-13-2025 | |
Threat detailsA deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An attacker can compromise a ControlVault firmware and have it craft a malicious response to trigger this vulnerability. | CVE | CWE-502 | LOCAL: HIGH | 06-13-2025 |
Threat detailsAn arbitrary free vulnerability exists in the cv_close functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call can lead to an arbitrary free. An attacker can forge a fake session to trigger this vulnerability. | CVE | CWE-763 | LOCAL: LOW | 06-13-2025 |
Threat detailsconda-forge-ci-setup is a package installed by conda-forge each time a build is run on CI. The conda-forge-ci-setup-feedstock setup script is vulnerable due to the unsafe use of the eval function when parsing version information from a custom-formatted meta.yaml file. An attacker controlling meta.yaml can inject malicious code into the version assignment, which is executed during file processing, leading to arbitrary code execution. Exploitation requires an attacker to modify the recipe file by manipulating the RECIPE_DIR variable and introducing a malicious meta.yaml file. While this is more feasible in CI/CD pipelines, it is uncommon in typical environments, reducing overall risk. This vulnerability is fixed in 4.15.0. | CVE | CWE-95 | LOW | 06-13-2025 |
Threat detailsAn out-of-bounds write vulnerability exists in the cv_upgrade_sensor_firmware functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault 3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call can lead to an out-of-bounds write. An attacker can issue an API call to trigger this vulnerability. | CVE | CWE-787 | LOCAL: LOW | 06-13-2025 |
Threat detailsA stack-based buffer overflow vulnerability exists in the securebio_identify functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted malicious cv_object can lead to a arbitrary code execution. An attacker can issue an API call to trigger this vulnerability. | CVE | CWE-121 | LOCAL: LOW | 06-13-2025 |
Threat detailsAn out-of-bounds read vulnerability exists in the cv_send_blockdata functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call can lead to an information leak. An attacker can issue an API call to trigger this vulnerability. | CVE | CWE-125 | LOCAL: LOW | 06-13-2025 |
Threat detailshandcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an application. This so-called "gadget chain" presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. The problem is patched with Version 1.4.3. | CVE | CWE-915 | LOW | 06-13-2025 |
Threat detailsThe MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities. | CVE | CWE-306 | LOW | 06-13-2025 |
Threat detailsA vulnerability classified as critical has been found in code-projects Laundry System 1.0. This affects an unknown part of the file /data/. The manipulation leads to missing authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-306 | NETWORK: LOW | 06-13-2025 |
Threat detailsImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15. | CVE | LOW | 06-13-2025 | |
Threat detailsImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15. | CVE | LOW | 06-13-2025 | |
Threat detailsImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal etracker allows Cross-Site Scripting (XSS).This issue affects etracker: from 0.0.0 before 3.1.0. | CVE | LOW | 06-13-2025 | |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsTCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata Revision 1.83 and advisory TCGVRT0009 for TCG standard TPM2.0 | CVE | LOW | 06-13-2025 | |
Threat detailsAn issue in the openc3-api/tables endpoint of OpenC3 COSMOS 6.0.0 allows attackers to execute a directory traversal. | CVE | LOW | 06-13-2025 | |
Threat detailsXWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code. | CVE | CWE-357 | LOW | 06-13-2025 |
Threat detailsAn issue in the /script-api/scripts/ endpoint of OpenC3 COSMOS 6.0.0 allows attackers to execute a directory traversal. | CVE | LOW | 06-13-2025 | |
Threat detailsMissing Authorization vulnerability in Drupal Bookable Calendar allows Forceful Browsing.This issue affects Bookable Calendar: from 0.0.0 before 2.2.13. | CVE | LOW | 06-13-2025 | |
Threat detailsImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0 before 1.10.0. | CVE | LOW | 06-13-2025 | |
Threat detailsXWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious content. For most macros, the existing analyzers don't consider non-lowercase parameters. Further, most macro parameters that can contain XWiki syntax like titles of information boxes weren't analyzed at all. Similarly, the "source" parameters of the content and context macro weren't anylzed even though they could contain arbitrary XWiki syntax. In the worst case, this could allow a malicious to add malicious script macros including Groovy or Python macros to a page that are then executed after another user with programming righs edits the page, thus allowing remote code execution. The required rights analyzers have been made more robust and extended to cover those cases in XWiki 16.4.7, 16.10.3 and 17.0.0. | CVE | CWE-357 | LOW | 06-13-2025 |
Threat detailsXWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Velocity code, the existing generic analyzer already warns admins before editing Velocity code. The main impact would thus be to send spam, e.g., with phishing links to other users or to hide notifications about other attacks. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties. | CVE | CWE-270, CWE-357 | LOW | 06-13-2025 |
Threat detailsXWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page. | CVE | CWE-201 | LOW | 06-13-2025 |
Threat detailsXWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior warning. In particular, this concerns custom display code, the script of computed properties and queries in database list properties. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties. | CVE | CWE-357 | LOW | 06-13-2025 |
Threat detailsXWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3. | CVE | CWE-863 | LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsAdobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | CVE | CWE-79 | NETWORK: LOW | 06-13-2025 |
Threat detailsImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal EU Cookie Compliance (GDPR Compliance) allows Cross-Site Scripting (XSS).This issue affects EU Cookie Compliance (GDPR Compliance): from 0.0.0 before 1.26.0. | CVE | LOW | 06-13-2025 | |
Threat detailsImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0 before 1.10.0. | CVE | LOW | 06-13-2025 | |
Threat detailsArchive::Unzip::Burst from 0.01 through 0.09 for Perl contains a bundled InfoZip library that is affected by several vulnerabilities. The bundled library is affected by CVE-2014-8139, CVE-2014-8140 and CVE-2014-8141. | CVE | LOW | 06-13-2025 | |
Threat details | CVE | LOW | 06-13-2025 | |
Threat detailsA flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption. | CVE | CWE-190 | NETWORK: HIGH | 06-13-2025 |
Threat detailsBuffer Overflow vulnerability in TOTOLINK N600R v4.3.0cu.7866_B2022506 allows a remote attacker to execute arbitrary code via the UPLOAD_FILENAME component | CVE | HIGH | 06-13-2025 | |
Threat detailsDirectory Traversal vulnerability in solon v.3.1.2 allows a remote attacker to conduct XSS attacks via the solon-faas-luffy component | CVE | HIGH | 06-13-2025 | |
Threat detailsA credential leak in OpenC3 COSMOS v6.0.0 allows attackers to access service credentials as environment variables stored in all containers. | CVE | HIGH | 06-13-2025 | |
| CVE | HIGH | 06-13-2025 | ||
Threat detailsWeak password requirements in OpenC3 COSMOS v6.0.0 allow attackers to bypass authentication via a brute force attack. | CVE | HIGH | 06-13-2025 | |
Threat detailsA flaw was found in GIMP. An integer overflow vulnerability exists in the GIMP "Despeckle" plug-in. The issue occurs due to unchecked multiplication of image dimensions, such as width, height, and bytes-per-pixel (img_bpp), which can result in allocating insufficient memory and subsequently performing out-of-bounds writes. This issue could lead to heap corruption, a potential denial of service (DoS), or arbitrary code execution in certain scenarios. | CVE | CWE-787 | LOCAL: LOW | 06-13-2025 |
Threat detailsXWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that has programming right like the page XWiki.ChildrenMacro and thus allows arbitrary script macros. This vulnerability has been patched in XWiki 16.4.7, 16.10.3 and 17.0.0 by executing wiki parameters with the rights of the wiki macro's author when the parameter's value is the default value. | CVE | CWE-94, CWE-250, CWE-270 | LOW | 06-13-2025 |
Threat detailsXWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7. | CVE | CWE-266 | LOW | 06-13-2025 |
Threat detailsBlink routers BL-WR9000 V2.4.9, BL-AC1900 V1.0.2, BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 V1.0.5, BL-LTE300 V1.2.3, BL-F1200_AT1 V1.0.0, BL-X26_AC8 V1.2.8, BLAC450M_AE4 V4.0.0 and BL-X26_DA3 V1.2.7 were discovered to contain a command injection vulnerability via the routepwd parameter in the sub_45B238 function. | CVE | LOW | 06-13-2025 | |
Threat detailsUse of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack. Manufacture is unknown at the time of release. CVE Record will be updated once this is clarified. | CVE | LOW | 06-13-2025 | |
Threat detailsUse of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack. Research was completed on the 2024 KIA Soluto. Attack confirmed on other KIA Models in Ecuador. | CVE | LOW | 06-13-2025 | |
Threat detailsBlink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain a command injection vulnerability via the bs_SetSSIDHide function. | CVE | LOW | 06-13-2025 | |
Threat detailsIn Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could arbitrarily delete local system files with SYSTEM privilege, potentially leading to local privilege escalation. | CVE | LOW | 06-13-2025 | |
Threat detailsIn Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could overwrite arbitrary local system files with log content at SYSTEM privilege. | CVE | LOW | 06-13-2025 | |
Threat detailsBlink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain multiple command injection vulnerabilities via the cmd parameter in the bs_SetCmd function. | CVE | LOW | 06-13-2025 | |
Threat detailsBlink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain multiple command injection vulnerabilities via the dns1 and dns2 parameters in the bs_SetDNSInfo function. | CVE | LOW | 06-13-2025 | |
Threat detailsBlink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 werediscovered to contain a command injection vulnerability via the mac parameter in the bs_SetMacBlack function. | CVE | LOW | 06-13-2025 |
| DataType | ProblemTypes | Impact | Publishdate | |
|---|---|---|---|---|
| CVE | CWE-79 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-22 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-352 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-22 | NETWORK: HIGH | 06-14-2025 | |
| CVE | CWE-352 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-22 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-98 | NETWORK: HIGH | 06-14-2025 | |
| CVE | CWE-352 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-352 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-352 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-89 | NETWORK: LOW | 06-14-2025 | |
| CVE | CWE-434 | NETWORK: LOW | 06-14-2025 | |
| CVE | LOW | 06-14-2025 | ||
| CVE | LOW | 06-14-2025 | ||
| CVE | LOW | 06-14-2025 | ||
| CVE | LOW | 06-14-2025 | ||
| CVE | LOW | 06-14-2025 | ||
| CVE | LOW | 06-14-2025 | ||
| CVE | LOW | 06-14-2025 | ||
| CVE | LOW | 06-14-2025 | ||
| CVE | CWE-352 | NETWORK: LOW | 06-14-2025 | |
| CVE | LOW | 06-14-2025 | ||
| CVE | CWE-250 | NETWORK: HIGH | 06-14-2025 | |
| CVE | HIGH | 06-13-2025 | ||
| CVE | CWE-502 | LOCAL: HIGH | 06-13-2025 | |
| CVE | CWE-763 | LOCAL: LOW | 06-13-2025 | |
| CVE | CWE-95 | LOW | 06-13-2025 | |
| CVE | CWE-787 | LOCAL: LOW | 06-13-2025 | |
| CVE | CWE-121 | LOCAL: LOW | 06-13-2025 | |
| CVE | CWE-125 | LOCAL: LOW | 06-13-2025 | |
| CVE | CWE-915 | LOW | 06-13-2025 | |
| CVE | CWE-306 | LOW | 06-13-2025 | |
| CVE | CWE-306 | NETWORK: LOW | 06-13-2025 | |
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | CWE-357 | LOW | 06-13-2025 | |
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | CWE-357 | LOW | 06-13-2025 | |
| CVE | CWE-270, CWE-357 | LOW | 06-13-2025 | |
| CVE | CWE-201 | LOW | 06-13-2025 | |
| CVE | CWE-357 | LOW | 06-13-2025 | |
| CVE | CWE-863 | LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 06-13-2025 | |
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | CWE-190 | NETWORK: HIGH | 06-13-2025 | |
| CVE | HIGH | 06-13-2025 | ||
| CVE | HIGH | 06-13-2025 | ||
| CVE | HIGH | 06-13-2025 | ||
| CVE | HIGH | 06-13-2025 | ||
| CVE | HIGH | 06-13-2025 | ||
| CVE | CWE-787 | LOCAL: LOW | 06-13-2025 | |
| CVE | CWE-94, CWE-250, CWE-270 | LOW | 06-13-2025 | |
| CVE | CWE-266 | LOW | 06-13-2025 | |
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 | ||
| CVE | LOW | 06-13-2025 |
