WordPress Premium Addons for Elementor plugin <= 4.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Countdown Widget vulnerability discovered by Asaf Mozes in WordPress Plugin Premium Addons for Elementor versions = 4.11.8...

like-girl 安全漏洞

like-girl is a couple logging tool by the individual developer of kiCode111 in China. A security vulnerability exists in like-girl version 5.2.0, which originates from SQL injection due to incorrect operation of the parameters imgDatd/imgText/imgUrl in the file /admin/ImgAddPost.php...

Vulnerabilities fixed in Microsoft Developer Tools

Microsoft has fixed vulnerabilities in several Developer Tools. A malicious person could exploit the vulnerabilities to execute arbitrary code with victim privileges. Since it cannot be ruled out that developers work with elevated privileges, it is plausible that execution of arbitrary code could...

Important: Red Hat Security Advisory: HawtIO 4.2.0 for Red Hat build of Apache Camel 4 Release and security update.

HawtIO 4.2.0 for Red Hat build of Apache Camel 4 GA Release is now available. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Red Hat Product Security has rated this update ...

Denial Of Service (DoS)

github.com/kuadrant/authorino is vulnerable to Denial of Service DoS. The vulnerability is due to the lack of limits on post-authorization callbacks, allowing an attacker with developer persona access to overload the service...

WordPress Photography Theme <= 7.5.2 is vulnerable to PHP Object Injection

Software Photography Type Theme Vulnerable versions = 7.5.2 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-47579 Patch priority High CVSS severity High 9 Developer EPC PSID f3488f35689e Credits Rafie Muhammad Patchstack Required privilege Unauthenticated...

KLA84761 Multiple vulnerabilities in Microsoft Developer Tools

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges. Below is a complete list of vulnerabilities: 1. A remote code execution vulnerability in .NET and Visual Studio can be exploited remotely...

CVE-2025-49013

WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue arises from unsafe usage of $ github.event.review.body and other user controlled variables directly inside shell script contexts in GitHub...

Authorino Uncontrolled Resource Consumption vulnerability

A Developer persona can bring down the Authorino service, preventing the evaluation of all AuthPolicies on the cluster...

GHSA-R8XR-PGV5-GXW3 Authorino Uncontrolled Resource Consumption vulnerability

The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an attacker with...

CVE-2025-25208

A Developer persona can bring down the Authorino service, preventing the evaluation of all AuthPolicies on the cluster...

CVE-2025-25209

CVE-2025-25209 affects Red Hat Connectivity Link. The issue arises in the AuthPolicy metadata, where an object storing secrets assumes they already exist in the kuadrant-system instead of copying them to the referred namespace, enabling a attacker with developer persona access to leak secrets via...

CVE-2025-25208

CVE-2025-25208 affects the Authorino project (github.com/kuadrant/authorino) and is described as an uncontrolled resource consumption denial of service through an authpolicy with sharedsecretref, per multiple connected entries (e.g., CVE list/circl). The core impact is that a malicious/developer ...

CVE-2025-25208 Rhcl: authorino denial of service through authpolicy with sharedsecretref severity

A Developer persona can bring down the Authorino service, preventing the evaluation of all AuthPolicies on the cluster...

CVE-2025-25207

The CVE concerns Authorino in Red Hat Connectivity Link. A developer-persona attacker can flood the service with post‑authorization callbacks, and since policy enforcement is handled by a single Authorino instance, this leads to Denial of Service during post‑authorization callback processing. Doc...

PT-2025-24401 · Red Hat · Red Hat Connectivity Link

Name of the Vulnerable Software and Affected Versions: Red Hat Connectivity Link affected versions not specified Description: The issue concerns the AuthPolicy metadata in Red Hat Connectivity Link, which contains an object storing secrets. However, it assumes these secrets are already in the...

WordPress Inset Theme <= 1.18.0 is vulnerable to Local File Inclusion

Software Inset Type Theme Vulnerable versions = 1.18.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-26592 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 2b36ab61c62f Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

WordPress TinySalt Theme < 3.10.0 is vulnerable to Local File Inclusion

Software TinySalt Type Theme Vulnerable versions 3.10.0 Fixed in 3.10.0 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-49454 Patch priority High CVSS severity High 8.1 Developer LoftOcean PSID f11131feed0e Credits Bonds Required privilege Unauthenticated Published 9...

WordPress CozyStay Theme < 1.7.1 is vulnerable to PHP Object Injection

Software CozyStay Type Theme Vulnerable versions 1.7.1 Fixed in 1.7.1 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-49507 Patch priority High CVSS severity High 9.8 Developer LoftOcean PSID 87cadbf62283 Credits Bonds Required privilege Unauthenticated Published 9 Jun...

VulnCheck KEV: CVE-2012-3153

Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Servlet. NOTE: the previous information is from the October 2012 CPU...