291 matches found
CVE-2025-66514 Nextcloud Mail stored HTML injection in subject text
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the...
EUVD-2025-201445
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1...
Nextcloud Mail 跨站脚本漏洞
Nextcloud Mail is an email from Nextcloud Germany. A cross-site scripting vulnerability exists in versions of Nextcloud Mail prior to 5.5.3, which stems from the presence of stored HTML injection in mailing lists, which could lead to HTML injection attacks...
CVE-2025-14011 JIZHICMS Add Display Name Field addcomment.html commentlist sql injection
A vulnerability was found in JIZHICMS up to 2.5.5. Impacted is the function commentlist of the file /index.php/admins/Comment/addcomment.html of the component Add Display Name Field. Performing a manipulation of the argument aid/tid results in sql injection. The attack can be initiated remotely...
PT-2025-49106
A vulnerability was identified in JIZHICMS up to 2.5.5. The impacted element is an unknown function of the file /index.php/admins/Comment/addcomment.html of the component Comment Handler. The manipulation of the argument body leads to cross site scripting. The attack may be initiated remotely. Th...
CVE-2025-13357
Vault’s Terraform Provider incorrectly set the default denynullbind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. Thi...
CVE-2025-66057 WordPress Bold Page Builder plugin <= 5.5.2 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in boldthemes Bold Page Builder bold-page-builder allows DOM-Based XSS.This issue affects Bold Page Builder: from n/a through = 5.5.2...
CVE-2025-55123
Improper neutralization of input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes manager accounts to be able to craft XSS attacks to their own advertiser users...
PT-2025-46440
Name of the Vulnerable Software and Affected Versions InDesign Desktop versions 20.5, 19.5.5 and earlier Description The software contains a Use After Free issue that may lead to arbitrary code execution with the privileges of the current user. Successful exploitation requires a user to open a...
CVE-2025-53412
A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the following version: File Station 5...
EUVD-2025-38242
ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-146 and below, the Manage Playlists feature is vulnerable to stored Cross-site Scripting XSS,specifically in the Playlist Name field. An authenticated low-privileged user can create a playlist with a malicious name containi...
ClipBucket V5 安全漏洞
ClipBucket V5 is a video hosting platform for MacWarrior individual developers. A security vulnerability exists in ClipBucket V5 5.5.2-146 and prior versions, which stems from the Manage Photos feature mishandling the Photo Title parameter, which could lead to a stored cross-site scripting attack...
PT-2025-45443
Name of the Vulnerable Software and Affected Versions File Station 5 versions prior to 5.5.6.5018 Description A flaw exists where a remote attacker, having obtained a user account, could potentially trigger a denial-of-service DoS attack due to a NULL pointer dereference. Recommendations Update t...
PT-2025-44614
Name of the Vulnerable Software and Affected Versions SeventhQueen Kleo versions prior to 5.5.0 Description The software contains an Improper Control of Filename for Include/Require Statement issue, also known as a PHP Local File Inclusion. This allows for the inclusion of local files...
CVE-2025-57931
Cross-Site Request Forgery CSRF vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through = 5.5.4...
AZL-69568 CVE-2025-61104 affecting package frr for versions less than 8.5.5-5
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the showvtyunknowntlv function at ospfext.c. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted OSPF packet...
CVE-2025-12205
A vulnerability was detected in Kamailio 5.5. The affected element is the function srpushyystate of the file src/core/cfg.lex of the component Configuration File Handler. The manipulation results in use after free. The attack must be initiated from a local position. The exploit is now public and...
CVE-2025-12205
Kamailio 5.5 is affected by a vulnerability in the function sr_push_yy_state (src/core/cfg.lex) that causes use-after-free. The issue requires local access to exploit. Public exploit exists, but the real-world existence of the vulnerability has been doubted in the sources. Connected advisories (R...
CVE-2025-62917 WordPress Tooltipy plugin <= 5.5.9 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Jamel.Z Tooltipy bluet-keywords-tooltip-generator allows Stored XSS.This issue affects Tooltipy: from n/a through = 5.5.9...
CVE-2025-62917 WordPress Tooltipy plugin <= 5.5.9 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Jamel.Z Tooltipy bluet-keywords-tooltip-generator allows Stored XSS.This issue affects Tooltipy: from n/a through = 5.5.9...