CVE-2025-41367

The CVE-2025-41367 entry affects IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. The issue is a Stored Cross-Site Scripting (XSS) vulnerability that lets an attacker store malicious JavaScript payloads to run in a victim’s browser. Exploitation requires authenticating to the device and executing com...

CVE-2025-41366 CORS vulnerability in IDF and ZLF

In IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04, a configuration error has been detected in cross-origin resource sharing CORS. Exploiting this vulnerability requires authenticating to the device and executing certain commands that can only be executed with permissions higher than the view...

CVE-2025-41365

CVE-2025-41365 describes a code injection vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. The flaw allows an attacker to store a malicious payload that runs in the victim’s browser. Exploitation requires authentication to the device and commands with permissions higher than the view...

CVE-2025-41365 Code injection vulnerability in IDF and ZLF

Code injection vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and executing certain commands that...

CVE-2025-41364 Stored Cross-Site Scripting (XSS) vulnerability in IDF and ZLF

Stored Cross-Site Scripting XSS vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious JavaScript payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and...

CVE-2025-41363

The CVE-2025-41363 issue affects IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. A cross-origin resource sharing (CORS) configuration error allows commands that require view permission to be executed after authenticating to the device. The documented exploitation path indicates authentication is nee...

CVE-2025-41363 CORS vulnerability in IDF and ZLF

In IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04, a configuration error has been detected in cross-origin resource sharing CORS. Exploiting this vulnerability requires authenticating to the device and executing certain commands that can be executed with view permission...

PT-2025-24084 · Idf +1 · Idf +1

Name of the Vulnerable Software and Affected Versions: IDF versions 0.10.0-0C03-03 ZLF versions 0.10.0-0C03-04 Description: A configuration error has been detected in cross-origin resource sharing CORS in the affected software. To exploit this issue, an attacker must authenticate to the device an...

(0Day) (Pwn2Own) WOLFBOX Level 2 EV Charger MCU Command Parsing Misinterpretation of Input Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installatons of WOLFBOX Level 2 EV Charger devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of command frames received by the MCU. When parsing...

PT-2025-24282 · Wolfbox · Wolfbox Level 2 Ev Charger

Name of the Vulnerable Software and Affected Versions: WOLFBOX Level 2 EV Charger affected versions not specified Description: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected WOLFBOX Level 2 EV Charger devices. Authentication is required for exploitation...

WordPress WP Security Master plugin <= 1.0.2 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Chu The Anh Blue Rock in WordPress Plugin WP Security Master versions = 1.0.2...

CVE-2025-20278 Cisco Unified Communications Products Command Injection Vulnerability

A vulnerability in the CLI of multiple Cisco Unified Communications products could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device as the root user. This vulnerability is due to improper validation of user-supplied...

CVE-2025-20277 Cisco Unified Contact Center Express Path Traversal Vulnerability

A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, local attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to improper...

CVE-2025-27444 Extension - rsjoomla.com - A reflected XSS vulnerability RSform!Pro component 3.0.0 - 3.3.13 for Joomla

A reflected XSS vulnerability in RSform!Pro component 3.0.0 - 3.3.13 for Joomla was discovered. The issue arises from the improper handling of the filterdateFrom GET parameter, which is reflected unescaped in the administrative backend interface. This allows an authenticated attacker with admin o...

Exploit for Code Injection in Langflow

Authenticated CVE-2025-3248 Langflow Remote Code Execution Th...

(Pwn2Own) Sonos Era 300 Heap-based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of ALAC data. The issue results from the lack of proper validation of the...

CVE-2025-4223

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘loginurl’ parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for...

Exploit for Unrestricted Upload of File with Dangerous Type in Pluck-Cms Pluck

CVE-2023-50564 📌 Description This exploit allows an authe...

CVE-2025-4223

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘loginurl’ parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-9452

The Branding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inje...