Export limit exceeded: 342395 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (342395 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12043 | 2 Autochat, Wordpress | 2 Automatic Conversation, Wordpress | 2025-11-26 | 5.3 Medium |
| The Autochat Automatic Conversation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_auycht_saveCid' AJAX endpoint in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to connect and disconnect the client ID. | ||||
| CVE-2025-0005 | 1 Amd | 1 Xilinx Run Time | 2025-11-26 | 7.3 High |
| Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in crash or denial of service. | ||||
| CVE-2025-13452 | 3 Najeebmedia, Woocommerce, Wordpress | 3 Admin And Customer Messages After Order For Woocommerce, Woocommerce, Wordpress | 2025-11-26 | 4.3 Medium |
| The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters. | ||||
| CVE-2025-41016 | 1 Davantis | 1 Dfusion | 2025-11-26 | N/A |
| Inadequate access control vulnerability in Davantis DFUSION v6.177.7, which allows unauthorised actors to extract images and videos related to alarm events through access to “/alarms/<ALARM_ID>/<MEDIA>”, where the “MEDIA” parameter can take the value of “snapshot” or “video.mp4”. These media files contain images recorded by security cameras in response to triggered alerts. | ||||
| CVE-2025-65951 | 1 Mescuwa | 1 Entropy-derby | 2025-11-26 | 8.7 High |
| Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted bet ticket, allowing the house to decrypt immediately using fast proof verification instead of expensive VDF evaluation. This issue has been patched via commit 2d38d2f. | ||||
| CVE-2025-13382 | 2 Najeebmedia, Wordpress | 2 Frontend File Manager Plugin, Wordpress | 2025-11-26 | 4.3 Medium |
| The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the 'fileid' parameter. | ||||
| CVE-2025-52538 | 1 Amd | 1 Xilinx Run Time | 2025-11-26 | 8 High |
| Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in loss of confidentiality or availability. | ||||
| CVE-2025-13414 | 2 Gwendydd, Wordpress | 2 Chamber Dashboard Business Directory, Wordpress | 2025-11-26 | 5.3 Medium |
| The Chamber Dashboard Business Directory plugin for WordPress is vulnerable to unauthorized data export due to a missing capability check on the cdash_watch_for_export() function in all versions up to, and including, 3.3.11. This makes it possible for unauthenticated attackers to export business directory information, including sensitive business details. | ||||
| CVE-2025-12742 | 1 Google | 1 Cloud Looker | 2025-11-26 | N/A |
| A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+ | ||||
| CVE-2025-12587 | 2 Webgarh, Wordpress | 2 Peer Publish, Wordpress | 2025-11-26 | 4.3 Medium |
| The Peer Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the website management pages. This makes it possible for unauthenticated attackers to add, modify, or delete website configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-13559 | 1 Wordpress | 1 Wordpress | 2025-11-26 | 9.8 Critical |
| The EduKart Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'edukart_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. | ||||
| CVE-2025-66235 | 2025-11-26 | N/A | ||
| Not used | ||||
| CVE-2025-66234 | 2025-11-26 | N/A | ||
| Not used | ||||
| CVE-2025-66233 | 2025-11-26 | N/A | ||
| Not used | ||||
| CVE-2025-66232 | 2025-11-26 | N/A | ||
| Not used | ||||
| CVE-2025-66231 | 2025-11-26 | N/A | ||
| Not used | ||||
| CVE-2025-66230 | 2025-11-26 | N/A | ||
| Not used | ||||
| CVE-2025-66229 | 2025-11-26 | N/A | ||
| Not used | ||||
| CVE-2025-66228 | 2025-11-26 | N/A | ||
| Not used | ||||
| CVE-2025-65947 | 1 Thread-amount Project | 1 Thread-amount | 2025-11-25 | N/A |
| thread-amount is a tool that gets the amount of threads in the current process. Prior to version 0.2.2, there are resource leaks when querying thread counts on Windows and Apple platforms. In Windows platforms, the thread_amount function calls CreateToolhelp32Snapshot but fails to close the returned HANDLE using CloseHandle. Repeated calls to this function will cause the handle count of the process to grow indefinitely, eventually leading to system instability or process termination when the handle limit is reached. In Apple platforms, the thread_amount function calls task_threads (via Mach kernel APIs) which allocates memory for the thread list. The function fails to deallocate this memory using vm_deallocate. Repeated calls will result in a steady memory leak, eventually causing the process to be killed by the OOM (Out of Memory) killer. This issue has been patched in version 0.2.2. | ||||