PT-2025-51441

Name of the Vulnerable Software and Affected Versions Barn2 Plugins Document Library Lite versions through 1.1.7 Description The Document Library Lite plugin contains a flaw related to improper input handling during web page generation, leading to a Cross-site Scripting XSS condition. This specif...

CVE-2025-9121 Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data

Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods...

GO-2025-4222 CNA Plugins Portmap nftables backend can intercept non-local traffic in github.com/containernetworking/plugins

CNA Plugins Portmap nftables backend can intercept non-local traffic in github.com/containernetworking/plugins...

org.elasticsearch.plugin:transport-netty4 (>=9.2.0 <=9.2.1), org.elasticsearch.plugin:x-pack-core (>=9.2.0 <=9.2.1) +3 more potentially affected by CVE-2025-37731 via org.elasticsearch:elasticsearch-ssl-config (>=9.2.0 <=9.2.1)

org.elasticsearch:elasticsearch-ssl-config MAVEN version =9.2.0, =9.2.0, =9.2.0, =9.2.0, =9.2.0, =9.2.0, =9.2.1 Source cves: CVE-2025-37731 Source advisory: SNYK:JAVA-ORGELASTICSEARCH-14417579...

CVE-2025-14288 Gallery Blocks with Lightbox <= 3.3.0 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Modification

The Gallery Blocks with Lightbox. Image Gallery, HTML5 video , YouTube, Vimeo Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. This is due to the plugin using the editposts...

ai.catboost:catboost-spark_4.0_2.13 (=1.2.10), ai.catboost:catboost-spark_4.1_2.13 (=1.2.10) +529 more potentially affected by CVE-2025-67721 via io.airlift:aircompressor (=2.0.2)

io.airlift:aircompressor MAVEN version =2.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on io.airlift:aircompressor and may be impacted: - ai.catboost:catboost-spark4.02.13 =1.2.10 - ai.catboost:catboost-spark4.12.13 =1.2.10 - ai.h2o:h2o-orc-parser...

EUVD-2025-203041

Malicious code in uba-plugins npm...

Malicious code in uba-plugins (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bcb257605c151aafe2aad5cfe0a574b33989c084ccee06ee6ff0b74c33afb907 The package uba-plugins was found to contain malicious code. Source: ghsa-malware 2a73b282a96cbf09b981101e3b9e4056c51c7d9524e1cf62a41d71ce8f90f36f An...

MAL-2025-192567 Malicious code in uba-plugins (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bcb257605c151aafe2aad5cfe0a574b33989c084ccee06ee6ff0b74c33afb907 The package uba-plugins was found to contain malicious code. Source: ghsa-malware 2a73b282a96cbf09b981101e3b9e4056c51c7d9524e1cf62a41d71ce8f90f36f An...

Malicious Package

Overview uba-plugins is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

WordPress DebateMaster plugin <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Color Options via 'debate' Shortcode vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Color Options via 'debate' Shortcode vulnerability discovered by ChamlaVic in WordPress Plugin DebateMaster versions = 1.0.0...

Wordfence Intelligence Weekly WordPress Vulnerability Report (December 1, 2025 to December 7, 2025)

Last week, there were 190 vulnerabilities disclosed in 173 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 59 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...

WordPress Widgets for Google Reviews plugin <= 13.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trustindex Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via trustindex Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Widgets for Google Reviews versions = 13.2.1...

JetBrains IntelliJ IDEA Plugins Installed (Windows)

Binary data jetbrainsintellijideapluginsenumwin.nbin...

CVE-2021-47701

OpenBMCS 2.4 allows an attacker to escalate privileges from a read user to an admin user by manipulating permissions and exploiting a vulnerability in the updateuserpermissions.php script. Attackers can submit a malicious HTTP POST request to PHP scripts in '/plugins/useradmin/' directory...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1889 more potentially affected by CVE-2025-67637 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2025-67637 Source advisory: OSV:GHSA-FXJ7-6V9W-XC76...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1889 more potentially affected by CVE-2025-67639 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2025-67639 Source advisory: OSV:GHSA-6837-QGRC-X5P6...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +1889 more potentially affected by CVE-2025-67635 via org.jenkins-ci.main:jenkins-core (>=1.396 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.0.1, =1.0, =55.v51410e712e0c, =1.0, =0.0.1, =0.1.0, =1.0, =0.9, =1.3, =1.23 and more Source cves: CVE-2025-67635 Source advisory: OSV:GHSA-9P56-P6MW-W8QC...

appscanstandard-integration:ibm-security-appscanstandard-scanner (>=1.0 <=2.8), au.com.versent.jenkins.plugins:ignore-committer-strategy (>=55.v51410e712e0c <=57.v0756db_b_f6926) +624 more potentially affected by CVE-2025-67636 via org.jenkins-ci.main:jenkins-core (>=2.0 <=2.528.2)

org.jenkins-ci.main:jenkins-core MAVEN version =2.0, =1.0, =55.v51410e712e0c, =4.1.0.506.v619d63bec9d8, =66.v12c841920f7d, =109.v2c51a117a7b4, =1.155.v3d884c1bdee1, =1.281.v331e3f5a05a9, =4050.v8ba69b587c39, =4050.v8ba69b587c39, =1.0.5, =2.0.0, =2.0, =1.0.2, =1.0.0, =1.0.6 and more So...

au.com.versent.jenkins.plugins:ignore-committer-strategy (>=37.v0d3157c4a_ef8 <=57.v0756db_b_f6926), com.coravy.hudson.plugins.github:github (>=1.41.0 <=1.46.0.1) +37 more potentially affected by CVE-2025-67640 via org.jenkins-ci.plugins:git-client (>=6.1.0 <=6.4.0)

org.jenkins-ci.plugins:git-client MAVEN version =6.1.0, =37.v0d3157c4aef8, =1.41.0, =61.vf6d8f6f5ed02, =1.1.0.825.v30618768da42, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.0.0, =3.2083.vd36f32376929, =530.v38d502df428f, =634.v371dc6d978a3, =679.v74133dab435a and more...