PT-2025-26631 · Dromara · Dromara Maxkey

Name of the Vulnerable Software and Affected Versions: Dromara MaxKey versions up to 4.1.7 Description: A critical issue affects the function Add of the SAML20DetailsController.java file in the Meta URL Handler component. The manipulation of the post argument leads to server-side request forgery,...

CVE-2025-50027

CVE-2025-50027 refers to a Cross-Site Scripting (stored XSS) vulnerability in the xootix WordPress Login/Signup Popup. Public records indicate the issue affects versions n/a through 2.9.4 of the Login/Signup Popup plugin and arises from improper input neutralization during web page generation. Im...

CVE-2025-50047

CVE-2025-50047 affects the WordPress plugin Sitekit (WordPress Sitekit) up to version 1.9 . The issue is an improper input neutralization in web page generation, causing Stored XSS . Exploitation could allow an attacker to inject malicious scripts into pages viewed by other users. According to mu...

CVE-2025-6273

A vulnerability was found in WebAssembly wabt up to 1.0.37 and classified as problematic. This issue affects the function LogOpcode of the file src/binary-reader-objdump.cc. The manipulation leads to reachable assertion. Local access is required to approach this attack. The exploit has been...

CVE-2025-50201

WeGIA is a web manager for charitable institutions. Prior to version 3.4.2, an OS Command Injection vulnerability was identified in the /html/configuracao/debuginfo.php endpoint. The branch parameter is not properly sanitized before being concatenated and executed in a shell command on the server...

CVE-2025-32510 WordPress Ovatheme Events Manager plugin <= 1.8.4 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in ovatheme Ovatheme Events Manager ova-events-manager allows Using Malicious Files.This issue affects Ovatheme Events Manager: from n/a through = 1.8.4...

libxml2 security update

2.9.7-20 - Fix CVE-2025-32414 RHEL-88198...

CVE-2024-41797

A vulnerability has been identified in RUGGEDCOM RST2428P 6GK6242-6PA00 All versions V3.1, SCALANCE XC316-8 6GK5324-8TS00-2AC2 All versions V3.1, SCALANCE XC324-4 6GK5328-4TS00-2AC2 All versions V3.1, SCALANCE XC324-4 EEC 6GK5328-4TS00-2EC2 All versions V3.1, SCALANCE XC332 6GK5332-0GA00-2AC2 All...

CVE-2025-49141 HaxCMS-PHP Command Injection Vulnerability

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the gitImportSite functionality obtains a URL string from a POST request and insufficiently validates user input. The setremote function later passes this input into procopen, yielding OS...

CVE-2025-49286

Cross-Site Request Forgery CSRF vulnerability in WP Table Builder WP Table Builder wp-table-builder allows Cross Site Request Forgery.This issue affects WP Table Builder: from n/a through = 2.0.6...

CVE-2025-49309

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in HT Plugins HT Team Member ht-team-member allows Stored XSS.This issue affects HT Team Member: from n/a through = 1.1.7...

WordPress plugin Bang tinh vay 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripti...

CVE-2024-40113

Sitecom WLX-2006 Wall Mount Range Extender N300 v.1.5 and before is vulnerable to Use of Default Credentials...

CVE-2025-0620

A flaw was found in Samba. The smbd service daemon does not pick up group membership changes when re-authenticating an expired SMB session. This issue can expose file shares until clients disconnect and then connect again...

CVE-2025-48940

MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion LFI via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be...

WordPress WidgetKit plugin <= 2.5.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro Soares de Alcântara Kinorth in WordPress Plugin WidgetKit versions = 2.5.4...

CVE-2025-39498 WordPress Spotlight - Social Media Feeds (Premium) plugin <= 1.7.1 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Spotlight Spotlight - Social Media Feeds Premium allows Retrieve Embedded Sensitive Data.This issue affects Spotlight - Social Media Feeds Premium: from n/a through 1.7.1...

PT-2025-22913 · Llisoft · Llisoft Mta Maita Training System

Name of the Vulnerable Software and Affected Versions: llisoft MTA Maita Training System version 4.5 Description: A critical issue has been found in the this.fileService.download function of the file comllisoftcontrollerOpenController.java. The manipulation of the url argument leads to unrestrict...

CVE-2024-45299

alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped text. The...

CVE-2024-43947

Cross-Site Request Forgery CSRF vulnerability in Dinesh Karki WP Armour Extended.This issue affects WP Armour Extended: from n/a through 1.26...