WordPress Uncanny Automator plugin <= 6.4.0.1 - Authenticated (Subscriber+) PHP Object Injection in automator_api_decode_message Function vulnerability

Authenticated Subscriber+ PHP Object Injection in automatorapidecodemessage Function vulnerability discovered by mikemyers in WordPress Plugin Uncanny Automator versions = 6.4.0.1...

CVE-2025-47278 Flask uses fallback key instead of current signing key

Flask is a web server gateway interface WSGI web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the itsdangerous library. A list of keys can...

CVE-2025-46721

A CSRF vulnerability in nosurf (Go) before v1.2.0 arises from misusing Go’s net/http, causing all incoming requests to be treated as plain-text and bypassing the Referer-origin check. An attacker controlling content on the target or a subdomain can forge cross-origin requests and potentially mani...

CVE-2025-46721 nosurf vulnerable to CSRF due to non-functional same-origin request checks

nosurf is cross-site request forgery CSRF protection middleware for Go. A vulnerability in versions prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target site either via XSS, or otherwise to bypass CSRF checks and issue requests on user's behal...

PT-2025-21041 · Adobe · Connect

Name of the Vulnerable Software and Affected Versions: Adobe Connect versions 12.8 and earlier Description: A stored Cross-Site Scripting XSS vulnerability affects Adobe Connect, allowing an attacker to inject malicious scripts into vulnerable form fields. When a victim accesses the page containi...

PT-2025-21036 · Adobe · Substance3D - Stager

Name of the Vulnerable Software and Affected Versions: Substance3D - Stager versions 3.1.1 and earlier Description: The issue is a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. To exploit this problem, user interaction is required,...

PT-2025-20893 · Apache · Apache Http Server

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server affected versions not specified Description: The issue concerns an information disclosure in the Apache HTTP Server. No specific details about the nature of the disclosure or how it can be exploited are provided. There is n...

WordPress Newsletters plugin <= 4.9.9.8 - Authenticated (Contributor+) SQL Injection orderby Parameter vulnerability

Authenticated Contributor+ SQL Injection orderby Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Newsletters versions = 4.9.9.8...

WordPress SMS Alert Order Notifications – WooCommerce plugin <= 3.8.1 - Authenticated (Subscriber+) Privilege Escalation via handleWpLoginCreateUserAction Function vulnerability

Authenticated Subscriber+ Privilege Escalation via handleWpLoginCreateUserAction Function vulnerability discovered by wesley wcraft in WordPress Plugin SMS Alert Order Notifications versions = 3.8.1...

CVE-2025-32390 EspoCRM vulnerable to HTML Injection into phishing, which may lead to account takeover

EspoCRM is a free, open-source customer relationship management platform. Prior to version 9.0.8, HTML Injection in Knowledge Base KB articles leads to complete page defacement imitating the login page. Authenticated users with the read knowledge article privilege can browse to the KB article and...

WordPress TheGem Theme <= 5.10.3 is vulnerable to Broken Access Control

Software TheGem Type Theme Vulnerable versions = 5.10.3 Fixed in 5.10.3.1 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2025-4339 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 0df3139c7e52 Credits Foxyyy Required privilege Subscriber...

PT-2025-20655 · Unknown · Jeecg-Boot

Name of the Vulnerable Software and Affected Versions: JeecgBoot versions up to 3.8.0 Description: A vulnerability was found in JeecgBoot that affects the function unzipFile of the file /jeecg-boot/airag/knowledge/doc/import/zip of the component Document Library Upload. The manipulation of the...

PT-2025-20666 · D Link · D-Link Di-8100

Name of the Vulnerable Software and Affected Versions: D-Link DI-8100 versions up to 16.07.26A1 Description: A critical issue affects the processing of the file /ddos.asp of the component jhttpd. The manipulation of the arguments def max, def time, def tcp max, def tcp time, def udp max, def udp...

PT-2025-20635 · Unknown · Phpgurukul E-Diary Management System

Name of the Vulnerable Software and Affected Versions: PHPGurukul e-Diary Management System version 1.0 Description: A critical issue has been found in the PHPGurukul e-Diary Management System, affecting the processing of the file /manage-notes.php. The manipulation of the ID argument leads to SQ...

WordPress Jeg Elementor Kit plugin <= 2.6.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Button and Countdown Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Video Button and Countdown Widgets vulnerability discovered by zer0gh0st in WordPress Plugin Jeg Elementor Kit versions = 2.6.12...

code-server's session cookie can be extracted by having user visit specially crafted proxy URL

Summary A maliciously crafted URL using the proxy subpath can result in the attacker gaining access to the session token. Details Failure to properly validate the port for a proxy request can result in proxying to an arbitrary domain. The malicious URL https:///proxy/[email protected]/path would be...

WordPress Website Builder by SeedProd plugin <= 6.18.15 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Information Exposure vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Coming Soon Page, Under Construction & Maintenance Mode by SeedProd versions = 6.18.15...

SUSE CVE-2025-4287

A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function torch.cuda.nccl.reduce of the file torch/cuda/nccl.py. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The exploit has bee...

PT-2025-20439 · D Link · D-Link Dir-605L

Name of the Vulnerable Software and Affected Versions: D-Link DIR-605L version 2.13B01 Description: A critical issue affects the formSetWAN Wizard55 function, where manipulation of the curTime argument leads to a buffer overflow. This can be initiated remotely. The vendor was contacted about this...

WordPress Easy PayPal Buy Now Button plugin <= 2.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nabil Irawan in WordPress Plugin Easy PayPal Buy Now Button versions = 2.0...