PT-2025-30310 · Drupal · Drupal Block Attributes

Name of the Vulnerable Software and Affected Versions: Drupal Block Attributes versions 0.0.0 through 1.0.9 Drupal Block Attributes versions 2.0.0 through 2.0.0 Description: A flaw exists in Drupal Block Attributes that allows for Cross-Site Scripting XSS. This issue is due to improper...

CVE-2025-47917

Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtlsx509stringtonames takes a head argument that is documented as an output argument. The documentation does not suggest that the function...

CVE-2025-7783

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is associated with program files lib/formdata.Js. This issue affects form-data: 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3...

PT-2025-30095 · Mrcms · Mrcms

Name of the Vulnerable Software and Affected Versions: MRCMS version 3.1.2 Description: The software contains a cross-site scripting XSS issue in the /admin/group/save.do component. Recommendations: At the moment, there is no information about a newer version that contains a fix for this...

PT-2025-29984 · Phpgurukul · Phpgurukul Art Gallery Management System

Name of the Vulnerable Software and Affected Versions: PHPGurukul Art Gallery Management System version 1.1 Description: A problematic issue has been identified in PHPGurukul Art Gallery Management System. The vulnerability is related to an unknown functionality within the...

CVE-2025-7338

Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service DoS by sending a malformed multi-part upload request. This request causes an unhandled...

CVE-2025-53941 Hollo renders posts received with form elements and allows submission

Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue...

CVE-2025-53927 MaxKB sandbox bypass

MaxKB is an open-source AI assistant for enterprise. Prior to version 2.0.0, the sandbox design rules can be bypassed because MaxKB only restricts the execution permissions of files in a specific directory. Therefore, an attacker can use the shutil.copy2 method in Python to copy the command they...

CVE-2025-53935 WeGIA vulnerable to Reflected Cross-Site Scripting via endpoint `personalizacao_selecao.php` parameter `id`

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting XSS vulnerability was identified in the personalizacaoselecao.php endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers...

CVE-2025-24777

Deserialization of Untrusted Data vulnerability in awethemes Hillter allows Object Injection. This issue affects Hillter: from n/a through 3.0.7...

WordPress JetTricks plugin <= 1.5.4.1 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by stealthcopter in WordPress Plugin JetTricks versions = 1.5.4.1...

CVE-2025-52714 WordPress Traveler theme < 3.2.2 - SQL Injection Vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in shinetheme Traveler traveler allows SQL Injection.This issue affects Traveler: from n/a through 3.2.2...

CVE-2025-54041

Cross-Site Request Forgery CSRF vulnerability in WP Swings Wallet System for WooCommerce wallet-system-for-woocommerce allows Cross Site Request Forgery.This issue affects Wallet System for WooCommerce: from n/a through = 2.6.7...

CVE-2025-54036

Cross-Site Request Forgery CSRF vulnerability in Webba Appointment Booking Webba Booking webba-booking-lite allows Cross Site Request Forgery.This issue affects Webba Booking: from n/a through = 5.1.20...

CVE-2025-54023

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WP Delicious WP Delicious delicious-recipes allows DOM-Based XSS.This issue affects WP Delicious: from n/a through = 1.8.4...

PT-2025-30098 · Tenda · Tenda Fh451

Name of the Vulnerable Software and Affected Versions: Tenda FH451 version 1.0.0.9 Description: A critical vulnerability exists in the fromSafeClientFilter function of the /goform/SafeClientFilter file. Manipulation of the Go/page argument leads to a stack-based buffer overflow, allowing for remo...

CVE-2025-53015

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0, infinite lines occur when writing during a specific XMP file conversion command. Version 7.1.2-0 fixes the issue...

CVE-2025-53641

Postiz is an AI social media scheduling tool. From 1.45.1 to 1.62.3, the Postiz frontend application allows an attacker to inject arbitrary HTTP headers into the middleware pipeline. This flaw enables a server-side request forgery SSRF condition, which can be exploited to initiate unauthorized...

CVE-2025-53628 cpp-httplib does not limit the length of a line

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.20.1, cpp-httplib does not have a limit for a unique line, permitting an attacker to explore this to allocate memory arbitrarily. This vulnerability is fixed in 0.20.1. NOTE: This vulnerability is related...

CVE-2025-27613 Gitk can create and truncate files in the user's home directory

Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled...