CVE-2025-46326

snowflake-connector-net is the Snowflake Connector for .NET. Versions starting from 2.1.2 to before 4.4.1, are vulnerable to a Time-of-Check to Time-of-Use TOCTOU race condition. When using the Easy Logging feature on Linux and macOS, the Connector reads logging configuration from a user-provided...

CVE-2025-4003 RefindPlusRepo RefindPlus RP_ApfsIo.c InternalApfsTranslateBlock null pointer dereference

A vulnerability was found in RefindPlusRepo RefindPlus 0.14.2.AB. It has been classified as problematic. This affects the function InternalApfsTranslateBlock of the file Library/RPApfsLib/RPApfsIo.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the...

CVE-2025-4002

A vulnerability was found in RefindPlusRepo RefindPlus 0.14.2.AB and classified as problematic. Affected by this issue is the function GetDebugLogFile of the file Library/MemLogLib/BootLog.c. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The patch is...

CVE-2025-0926

Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for a non-admin user to remove system files causing a boot loop by redirecting a file deletion when recording video. Axis has released a patched version for the highlighted flaw. Please refer to the Ax...

CVE-2025-32961

The CVE-2025-32961 issue affects the Cuba JPA Web API (Cuba Platform add-on) prior to version 1.1.1, where an attacker could manipulate the input parameter (string with a file path/name) to cause the server to return a Content-Type of text/html for names ending in .html. This can enable execution...

GHSA-HG25-W3VG-7279 XSS in the /download Endpoint of the JPA Web API

Impact The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be...

XSS in the /files Endpoint of the Generic REST API

Impact The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be...

WordPress Frontend Dashboard plugin <= 2.2.5 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin Frontend Dashboard versions = 2.2.5...

WordPress CM Answers plugin <= 3.3.3 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by ch4r0n in WordPress Plugin CM Answers versions = 3.3.3...

WordPress Watu Quiz plugin <= 3.4.3 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by astra.r3verii in WordPress Plugin Watu Quiz versions = 3.4.3...

WordPress SKT Blocks – Gutenberg based Page Builder plugin <= 2.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by zaim in WordPress Plugin SKT Blocks versions = 2.0...

WordPress affiliate-toolkit plugin <= 3.7.3 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by stealthcopter in WordPress Plugin affiliate-toolkit versions = 3.7.3...

WordPress User Registration plugin < 4.2.0 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Psai in WordPress Plugin User Registration versions 4.2.0...

WordPress License For Envato plugin <= 1.0.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Dimas Maulana Patchstack Alliance in WordPress Plugin License For Envato versions = 1.0.0...

PT-2025-17452 · Opencms · Opencms

Name of the Vulnerable Software and Affected Versions: opencms version 2.3 Description: The issue allows for Arbitrary file read in the src/main/webapp/view/admin/document/dataPage.jsp file. Recommendations: For opencms version 2.3, as a temporary workaround, consider restricting access to the...

WordPress Themesflat Addons For Elementor plugin <= 2.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin themesflat-addons-for-elementor versions = 2.2.5...

WordPress SB Chart block plugin <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via className Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin SB Chart block versions = 1.2.6...

PT-2025-17390 · Unknown · Phpgurukul Men Salon Management System

Name of the Vulnerable Software and Affected Versions: PHPGurukul Men Salon Management System version 1.0 Description: A critical vulnerability has been found in the PHPGurukul Men Salon Management System. The issue affects an unknown functionality of the file /admin/search-appointment.php. The...

WordPress User Registration & Membership Pro plugin <= 5.1.3 - Cross-Site Request Forgery to User Deletion vulnerability

Cross-Site Request Forgery to User Deletion vulnerability discovered by wesley wcraft in WordPress Plugin User Registration & Membership Pro versions = 5.1.3...

CVE-2025-30357

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, if a malicious user is leaving spam comments on many topics then an administrator, unable to manually remove each spam comment, may delete the malicious account. Once an administrator...