2444 matches found
CVE-2025-41365 Code injection vulnerability in IDF and ZLF
Code injection vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and executing certain commands that...
CVE-2025-41364 Stored Cross-Site Scripting (XSS) vulnerability in IDF and ZLF
Stored Cross-Site Scripting XSS vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious JavaScript payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and...
CVE-2025-41363 CORS vulnerability in IDF and ZLF
In IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04, a configuration error has been detected in cross-origin resource sharing CORS. Exploiting this vulnerability requires authenticating to the device and executing certain commands that can be executed with view permission...
CVE-2025-41363
The CVE-2025-41363 issue affects IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. A cross-origin resource sharing (CORS) configuration error allows commands that require view permission to be executed after authenticating to the device. The documented exploitation path indicates authentication is nee...
PT-2025-24282 · Wolfbox · Wolfbox Level 2 Ev Charger
Name of the Vulnerable Software and Affected Versions: WOLFBOX Level 2 EV Charger affected versions not specified Description: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected WOLFBOX Level 2 EV Charger devices. Authentication is required for exploitation...
PT-2025-24084 · Idf +1 · Idf +1
Name of the Vulnerable Software and Affected Versions: IDF versions 0.10.0-0C03-03 ZLF versions 0.10.0-0C03-04 Description: A configuration error has been detected in cross-origin resource sharing CORS in the affected software. To exploit this issue, an attacker must authenticate to the device an...
(0Day) (Pwn2Own) WOLFBOX Level 2 EV Charger MCU Command Parsing Misinterpretation of Input Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installatons of WOLFBOX Level 2 EV Charger devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of command frames received by the MCU. When parsing...
WordPress WP Security Master plugin <= 1.0.2 - Cross Site Request Forgery (CSRF) Vulnerability
Cross Site Request Forgery CSRF Vulnerability discovered by Chu The Anh Blue Rock in WordPress Plugin WP Security Master versions = 1.0.2...
CVE-2025-20278 Cisco Unified Communications Products Command Injection Vulnerability
A vulnerability in the CLI of multiple Cisco Unified Communications products could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device as the root user. This vulnerability is due to improper validation of user-supplied...
CVE-2025-20277 Cisco Unified Contact Center Express Path Traversal Vulnerability
A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, local attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to improper...
CVE-2025-27444 Extension - rsjoomla.com - A reflected XSS vulnerability RSform!Pro component 3.0.0 - 3.3.13 for Joomla
A reflected XSS vulnerability in RSform!Pro component 3.0.0 - 3.3.13 for Joomla was discovered. The issue arises from the improper handling of the filterdateFrom GET parameter, which is reflected unescaped in the administrative backend interface. This allows an authenticated attacker with admin o...
Exploit for Code Injection in Langflow
Authenticated CVE-2025-3248 Langflow Remote Code Execution Th...
(Pwn2Own) Sonos Era 300 Heap-based Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of ALAC data. The issue results from the lack of proper validation of the...
CVE-2025-4223
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘loginurl’ parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for...
Exploit for Unrestricted Upload of File with Dangerous Type in Pluck-Cms Pluck
CVE-2023-50564 📌 Description This exploit allows an authe...
CVE-2025-4223
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘loginurl’ parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2024-9452
The Branding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inje...
CVE-2024-30570
An information leak in debuginfo.htm of Netgear R6850 v1.1.0.88 allows attackers to obtain sensitive information without any authentication required...
CVE-2024-29832
The currenturl parameter of the AJAX call to the GalleryBox action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the currenturl parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. No...
CVE-2024-12560
The Button Block – Get fully customizable & multi-functional buttons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via the 'btnblockduplicatepost' function. This makes it possible for authenticated attackers, with Contributor-leve...