6279 matches found
CVE-2025-65518
creationtimestamp| type| source ---|---|--- 2025-12-16 15:00:07+00:00| published-proof-of-concept| Telegram/vMapVwBTPoziYsVhraiOr2XjKllgeKD5X4QLNBfOpeW9ZJY 2026-01-08 18:58:47+00:00| seen| https://infosec.exchange/users/cR0w/statuses/115861010964456359 2026-01-08 19:40:58+00:00| seen|...
EUVD-2025-203499
The Auto Featured Image Auto Post Thumbnail plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulkactiongeneratehandler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with...
CVE-2025-66402
Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue...
CVE-2025-65590
CVE-2025-65590 affects nopCommerce 4.90.0. The vulnerability is a Cross-Site Scripting (XSS) flaw exploitable via the Blog posts functionality in the Content Management area. The initial report does not provide exact vulnerable component details beyond the Blog posts feature; Red Hat and EUVD mir...
WordPress List category posts SQL Injection Vulnerability
WordPress List category posts is a feature-rich WordPress plugin , mainly through the catlist short code to achieve the function . WordPress List category posts has a SQL injection vulnerability, the vulnerability stems from the existence of the startingwith parameter time-based SQL injection, an...
PT-2025-51769
Name of the Vulnerable Software and Affected Versions nopCommerce version 4.90.0 Description The software is susceptible to Cross Site Scripting XSS through the Blog posts functionality within the Content Management area. The issue allows for potential malicious script injection. Recommendations ...
CVE-2025-65590
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting XSS via the Blog posts functionality in the Content Management area...
CVE-2025-65590
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting XSS via the Blog posts functionality in the Content Management area...
nopCommerce 安全漏洞
nopCommerce is an open source, general purpose e-commerce platform from nopCommerce, Inc. A security vulnerability exists in nopCommerce version 4.90.0, which stems from cross-site scripting in the Blog posts feature in the content management area...
Misskey 安全漏洞
Misskey is a permanently free open source syndicated social media platform from Misskey Open Source. A security vulnerability exists in Misskey version 13.0.0-beta.16 through versions prior to 2025.12.0, which stems from a participant who does not have permission to view favorites or clips being...
Welcome to the new Project Zero Blog
Posted by Natalie Silvanovich While on Project Zero, we aim for our research to be leading-edge, our blog design was … not so much. We welcome readers to our shiny new blog! For the occasion, we asked members of Project Zero to dust off old blog posts that never quite saw the light of day. And...
CVE-2025-66402 misskey.js's export data contains private post data
Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue...
CVE-2025-66402
Misskey CVE-2025-66402 affects versions 13.0.0-beta.16 through before 2025.12.0, where an actor without permission to view favorites or clips could export posts and view contents, exposing private data. Version 2025.12.0 fixes the issue. The vulnerability stems from the export functionality not e...
CVE-2025-66402 misskey.js's export data contains private post data
Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue...
GHSA-496G-MMPW-J9X3 misskey.js's export data contains private post data
Summary After adding private posts followers, direct that you do not have permission to view to your favorites or clips, you can export them to view the contents of the private posts. PoC 1. Create an account X for testing and an account Y for private posts on the same server. 2. Send appropriate...
misskey.js's export data contains private post data
Summary After adding private posts followers, direct that you do not have permission to view to your favorites or clips, you can export them to view the contents of the private posts. PoC 1. Create an account X for testing and an account Y for private posts on the same server. 2. Send appropriate...
CVE-2025-13950
CVE-2025-13950 affects the OneSignal – Web Push Notifications WordPress plugin. It allows unauthenticated modification of data (App ID, REST API key, and notification behavior) via POST requests due to a missing capability check in settings handling for all versions up to 3.6.1. The issue is netw...
CVE-2025-9218
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handlerestpredispatch function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to...
EUVD-2025-203220
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handlerestpredispatch function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to...
CVE-2025-12965
The Magical Posts Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpactitletag' parameter in the Magical Posts Accordion widget in all versions up to, and including, 1.2.54 due to insufficient input sanitization and output escaping on user-supplied HTML tag name...