CVE / JVNDB Latest 100

Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd

Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so stack-based overflow

Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so AP_get_wired_clientlist_setClientsName stack-based overflow

Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so stack-based overflow

Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so AP_get_wireless_clientlist_setClientsName stack-based overflow

TOZED ZLT M30S/ZLT M30S PRO Web hard-coded credentials

All-in-One Video Gallery 4.5.4 - 4.5.7 – Authenticated (Author+) Arbitrary File Upload via Import ZIP

Starter Templates <= 4.4.41 - Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass

Rich Shortcodes for Google Reviews <= 6.8 - Unauthenticated Stored Cross-Site Scripting via Google Review

10Web Booster <= 2.32.7 - Authenticated (Subscriber+) Arbitrary Folder Deletion via two_clear_page_cache

Fluent Forms <= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id

Accessiy By CodeConfig Accessibility – Easy One-Click Accessibility Toolbar That Truly Matters <= 1.0.0 - Authenticated (Subscriber+) Missing Authorization to Modify Accessibility Settings

Accessiy By CodeConfig Accessibility <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation

Search, Filters & Merchandising for WooCommerce <= 3.0.63 - Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation

CSV Sumotto <= 1.0 - Reflected Cross-Site Scripting

Yet Another WebClap for WordPress <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Extra Post Images <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

RevInsite <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

List Attachments Shortcode <= 0.4.1a - Authenticated (Author+) Stored Cross-Site Scripting via list-attachments Shortcode

CSS3 Buttons <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Listing Update

Canadian Nutrition Facts Label <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nutrition Label Custom Post Type

Cute News Ticker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute

TR Timthumb <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Application Passwords <= 0.1.3 - Reflected Cross-Site Scripting via reject_url

Helloprint <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Modification

Flex QR Code Generator <= 1.2.6 - Unauthenticated Arbitrary File Upload

WP Landing Page <= 0.9.3 - Cross-Site Request Forgery to Arbitrary Post Meta Update

Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

g-FFL Cockpit <= 1.7.1 - Improper Authorization to Unauthenticated Product Deletion

g-FFL Cockpit <= 1.7.1 - Missing Authorization to Unauthenticated Information Exposure

Social Feed Gallery Portfolio <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

Live Sales Notification for Woocommerce – Woomotiv <= 3.6.3 - Reflected Cross-Site Scripting

Ultra Skype Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_id' Shortcode Attribute

myLCO <= 0.8.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

fit2cloud Halo cross-site request forgery

Improper access control in Google Cloud Apigee-X allows cross-tenant Analytics modification and log data access.

Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.

WatchGuard Firebox Authenticated Out of Bounds Write in Management CLI Ping Command

WatchGuard Firebox Authenticated Out of Bounds Write in certd

WatchGuard Firebox Authenticated Out of Bounds Write in Management CLI IPSec Configuration

WatchGuard Mobile VPN with SSL Local Privilege Escalation via Update Package

WatchGuard Firebox Authenticated Stack Overflow in Certificate Request Command

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 - Authenticated (Contributor+) SQL Injection via ORDER BY Clause

weDocs <= 2.1.14 - Missing Authorization to Settings Update

pidfs: validate extensible ioctls

mount: handle NULL values in mnt_ns_release()

nfc/nci: Add the inconsistency check between the input data length and count

rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()

mt76: mt7921: fix crash when startup fails.

net: sched: fix memory leak in tcindex_partial_destroy_work

EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary content (including non-image files) which could impersonate user/admin login panels (exfiltrating credentials) and to perform a denial-of-service attack by exhausting disk space.

Link Whisper Free <= 0.8.8 - Reflected Cross-Site Scripting

Widgets for Google Reviews <= 13.2.4 - Unauthenticated Stored Cross-Site Scripting via Google Reviews

In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Control flow proceeds even when a number of pixels becomes negative.

Undertow: outofmemory when parsing form data encoding with application/x-www-form-urlencoded

Org.wildfly.core:wildfly-server: wildfly improper rbac permission

Further research determined the issue is not a vulnerability.

HedgeDoc is missing state parameter in OAuth2 flows could lead to CSRF

xerrors Yuxi-Know embed.py OtherEmbedding.aencode server-side request forgery

Rarlab RAR App com.rarlab.rar path traversal

Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE

ZSPACE Q2C NAS HTTP POST Request open zfilev2_api.OpenSafe command injection

Incorrect access control in the component orderService.queryObject of platform v1.0.0 allows attackers to access sensitive information via a crafted request.

Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request.

Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors.

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.

ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint.

An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to execute arbitrary system commands.

CVE-2025-8148 Improper Access Control in SFTP service of GoAnywhere MFT

TOZED ZLT M30S/ZLT M30S PRO Web proc_post denial of service

Improper Sandboxing in Google Apigee's JavaCallout Policy Allows for Remote Code Execution

ZSPACE Q2C NAS HTTP POST Request close zfilev2_api.CloseSafe command injection

ZSPACE Q2C NAS HTTP POST Request status zfilev2_api.SafeStatus command injection

A lack of Management Frame Protection in Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to execute de-authentication attacks, allowing crafted deauthentication and disassociation frames to be broadcast without authentication or encryption.

Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to render the Administrator password in plaintext.

zdh_web is a data collection, processing, monitoring, scheduling, and management platform. In zdh_web thru 5.6.17, insufficient validation of file upload paths in the application allows an authenticated user to write arbitrary files to the server file system, potentially overwriting existing files and leading to privilege escalation or remote code execution.

Kalmia CMS version 0.2.0 contains an Incorrect Access Control vulnerability in the /kal-api/auth/users API endpoint. Due to insufficient permission validation and excessive data exposure in the backend, an authenticated user with basic read permissions can retrieve sensitive information for all platform users.

Excessive read buffering DoS in http.client

Quadratic complexity in node ID cache clearing

BACnet-stack MS/TP reply matcher OOB read

Strimzi allows unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands

Frappe LMS is Missing Server-Side Authorization in Business Logic

Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via rule-engines

XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request.

Flexsense DiskBoss Service Unquoted Service Path Vulnerability

Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via plugin-config/dashboards/menus

An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass.

ReQuest Serious Play F3 Media Player <= 3.0.0 Directory Traversal File Disclosure

ReQuest Serious Play F3 Media Server <= 7.0.3 Debug Log Disclosure2020

An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. They run an SSH server accessible over the default port 22. The root account has a weak default password of ionadmin, and a password change policy for the root account is not enforced. Thus, an attacker with network connectivity can achieve root code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Edimax BR-6478AC V3 formSysCmd sub_44CCE4 os command injection

Time-of-check Time-of-use (TOCTOU) Race Condition in GitLab

The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials, which are stored as fixtures for the Django ORM API. The ionadmin user account can be used to authenticate to default deployments with the password ionadmin. The user guide recommends changing default credentials; however, a password change policy for default administrative accounts is not enforced. Many deployments may retain default credentials, in which case an attacker is likely to be able to successfully authenticate with administrative privileges.

Nextcloud Server vulnerable to XSS in SVG images when opened outside of Nextcloud

An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. When they are powered on, an X11 display server is started. The display server listens on all network interfaces and is accessible over port 6000. The X11 access control list, by default, allows connections from 127.0.0.1 and 192.168.2.15. If a device is powered on and later connected to a network with DHCP, the device may not be assigned the 192.168.2.15 IP address, leaving the display server accessible by other devices on the network. The exposed X11 display server can then be used to gain root privileges and the ability to execute code remotely by interacting with matchbox-desktop and spawning a terminal. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Warehouse Management System 1.2 contains an authenticated arbitrary file deletion vulnerability. The /goods/deleteGoods endpoint accepts a user-controlled goodsimg parameter, which is directly concatenated with the server's UPLOAD_PATH and passed to File.delete() without validation. A remote authenticated attacker can delete arbitrary files on the server by supplying directory traversal payloads.

Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames

Nextcloud Server Contacts Search allowed users to retrieve contact information of other users beyond their contact list