| ID | Summary | Flags | Max Score |
|---|---|---|---|
| CVE-2025-6000 | Arbitrary Remote Code Execution via Plugin Catalog Abuse | | |
| CVE-2025-6001 | VirtueMart - Cross Site Request Forgery (CSRF) | | |
| CVE-2025-6002 | VirtueMart - Unrestricted File Upload | | |
| CVE-2025-6003 | WordPress Single Sign-On (SSO) - Multiple Versions - Incorrect Authorization to Sensitive Information Exposure | | |
| CVE-2025-6004 | Vault Userpass and LDAP User Lockout Bypass | | |
| CVE-2025-6005 | kiCode111 like-girl aboutPost.php sql injection | E | |
| CVE-2025-6006 | kiCode111 like-girl ImgUpdaPost.php sql injection | E | |
| CVE-2025-6007 | kiCode111 like-girl CopyadminPost.php sql injection | E | |
| CVE-2025-6008 | kiCode111 like-girl ImgAddPost.php sql injection | E | |
| CVE-2025-6009 | kiCode111 like-girl ipAddPost.php sql injection | E | |
| CVE-2025-6011 | Timing Side-Channel in Vault’s Userpass Auth Method | | |
| CVE-2025-6012 | Auto Attachments <= 1.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting | | |
| CVE-2025-6013 | Vault LDAP MFA Enforcement Bypass When Using Username As Alias | | |
| CVE-2025-6014 | Vault TOTP Secrets Engine Code Reuse | | |
| CVE-2025-6015 | Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse | | |
| CVE-2025-6017 | Rhacm: users with clusterreader role can see credentials from managed-clusters | | |
| CVE-2025-6018 | Pam-config: lpe from unprivileged to allow_active in pam | E M | |
| CVE-2025-6019 | Libblockdev: lpe from allow_active to root in libblockdev via udisks | M | |
| CVE-2025-6020 | Linux-pam: linux-pam directory traversal | M | |
| CVE-2025-6021 | Libxml2: integer overflow in xmlbuildqname() leads to stack buffer overflow in libxml2 | M | |
| CVE-2025-6022 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.... | R | |
| CVE-2025-6023 | An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve X... | M | |
| CVE-2025-6025 | Order Tip for WooCommerce <= 1.5.4 - Unauthenticated Tip Manipulation to Negative Value Leading to Unauthorized Discounts | | |
| CVE-2025-6029 | KIA-branded Aftermarket Generic Smart Keyless Entry System Replay Attack | S | |
| CVE-2025-6030 | Autoeastern Smart Keyless Entry System Replay Attack | S | |
| CVE-2025-6031 | Insecure device pairing in end of life Amazon Cloud Cam | | |
| CVE-2025-6032 | Podman: podman missing tls verification | M | |
| CVE-2025-6035 | Gimp: gimp integer overflow | M | |
| CVE-2025-6037 | Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates | | |
| CVE-2025-6039 | ProcessingJS for WordPress <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting | | |
| CVE-2025-6040 | Easy Flashcards <= 0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting | | |
| CVE-2025-6041 | yContributors <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting | | |
| CVE-2025-6043 | Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal <= 16.8 - Authenticated (Subscriber+) Arbitrary File Deletion | | |
| CVE-2025-6044 | An Improper Access Control vulnerability in the Stylus Tools component of Google ChromeOS version 16... | | |
| CVE-2025-6050 | Stored Cross-Site Scripting (XSS) in Mezzanine CMS Admin Interface | E S | |
| CVE-2025-6052 | Glib: integer overflow in g_string_maybe_expand() leading to potential buffer overflow in glib gstring | M | |
| CVE-2025-6053 | Zuppler Online Ordering <= 2.1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting | | |
| CVE-2025-6054 | YANewsflash <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting | | |
| CVE-2025-6055 | Zen Sticky Social <= 0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting | | |
| CVE-2025-6056 | Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 ... | S | |
| CVE-2025-6057 | WPBookit <= 1.0.4 - Authenticated (Subscriber+) Arbitrary File Upload | S | |
| CVE-2025-6058 | WPBookit <= 1.0.4 - Unauthenticated Arbitrary File Upload | S | |
| CVE-2025-6059 | Seraphinite Accelerator <= 2.27.21 - Cross-Site Request Forgery to Multiple Administrative Actions | | |
| CVE-2025-6060 | XSS in DECE Software's Geodi | | |
| CVE-2025-6061 | kk Youtube Video <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting | | |
| CVE-2025-6062 | Yougler Blogger Profile Page <= v1.01 - Cross-Site Request Forgery to Settings Update | | |
| CVE-2025-6063 | XiSearch bar <= 2.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting | | |
| CVE-2025-6064 | WP URL Shortener <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting | | |
| CVE-2025-6065 | Image Resizer On The Fly <= 1.1 - Unauthenticated Arbitrary File Deletion | | |
| CVE-2025-6068 | FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel <= 2.4.31 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting | | |
| CVE-2025-6069 | HTMLParser quadratic complexity when processing malformed inputs | S | |
| CVE-2025-6070 | Restrict File Access <= 1.1.2 - Authenticated (Subscriber+) Arbitrary File Read | | |
| CVE-2025-6071 | Hard Coded Key used for AES encryption | | |
| CVE-2025-6072 | Stack Buffer Overflow in MQTTCore | | |
| CVE-2025-6073 | Stack Buffer Overflow in MQTTCore | | |
| CVE-2025-6074 | Authentication Bypass to the MQTT configuration Web Interface | | |
| CVE-2025-6076 | CVE-2025-6076 | | |
| CVE-2025-6077 | CVE-2025-6077 | | |
| CVE-2025-6078 | CVE-2025-6078 | | |
| CVE-2025-6079 | School Management System <= 93.2.0 - Authenticated (Student+) Arbitrary File Upload | | |
| CVE-2025-6080 | WPGYM <= 67.7.0 - Missing Authorization to Admin Account Creation | | |
| CVE-2025-6081 | Pass-back attack in Konica Minolta bizhub 227 multifunctional printers | | |
| CVE-2025-6082 | Birth Chart Compatibility <= 2.0 - Unauthenticated Full Path Exposure | | |
| CVE-2025-6083 | ExtremeCloud Universal ZTNA Improper Authorization | S | |
| CVE-2025-6086 | CSV Me <= 2.0 - Authenticated (Administrator+) Arbitrary File Upload | | |
| CVE-2025-6087 | SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint | | |
| CVE-2025-6089 | Astun Technology iShare Maps atCheckJS.aspx redirect | | |
| CVE-2025-6090 | H3C GR-5400AX aspForm UpdateIpv6params buffer overflow | E | |
| CVE-2025-6091 | H3C GR-3000AX aspForm UpdateIpv6Params buffer overflow | E | |
| CVE-2025-6092 | comfyanonymous comfyui Incomplete Fix CVE-2024-10099 image cross site scripting | E | |
| CVE-2025-6093 | uYanki board-stm32f103rc-berial heartrate1_hal.c heartrate1_i2c_hal_write stack-based overflow | | |
| CVE-2025-6094 | qianfox FoxCMS Download.php batchCope sql injection | E | |
| CVE-2025-6095 | codesiddhant Jasmin Ransomware checklogin.php sql injection | E | |
| CVE-2025-6096 | codesiddhant Jasmin Ransomware dashboard.php sql injection | E | |
| CVE-2025-6097 | UTT 进取 750W Administrator Password setSysAdm formDefineManagement unverified password change | E | |
| CVE-2025-6098 | UTT 进取 750W API setSysAdm strcpy buffer overflow | E | |
| CVE-2025-6099 | szluyu99 gin-vue-blog PATCH Request manager.go improper authorization | E | |
| CVE-2025-6100 | realguoshuai open-video-cms list sql injection | E | |
| CVE-2025-6101 | letta-ai letta interface.py function_message eval injection | E | |
| CVE-2025-6102 | Wifi-soft UniBox Controller logout.php os command injection | E | |
| CVE-2025-6103 | Wifi-soft UniBox Controller test_accesscodelogin.php os command injection | E | |
| CVE-2025-6104 | Wifi-soft UniBox Controller pms_check.php os command injection | E | |
| CVE-2025-6105 | jflyfox jfinal_cms HOME.java cross-site request forgery | E | |
| CVE-2025-6106 | WuKongOpenSource WukongCRM AdminRoleController.java cross-site request forgery | E | |
| CVE-2025-6107 | comfyanonymous comfyui utils.py set_attr dynamically-determined object attributes | E | |
| CVE-2025-6108 | hansonwang99 Spring-Boot-In-Action File Upload ImageUploadService.java watermarkTest path traversal | E | |
| CVE-2025-6109 | javahongxi whatsmars InitializrController.java initialize path traversal | E | |
| CVE-2025-6110 | Tenda FH1201 SafeMacFilter stack-based overflow | E | |
| CVE-2025-6111 | Tenda FH1205 VirtualSer fromVirtualSer stack-based overflow | E | |
| CVE-2025-6112 | Tenda FH1205 AdvSetLanip fromadvsetlanip buffer overflow | E | |
| CVE-2025-6113 | Tenda FH1203 AdvSetLanip fromadvsetlanip buffer overflow | E | |
| CVE-2025-6114 | D-Link DIR-619L form_portforwarding stack-based overflow | E | |
| CVE-2025-6115 | D-Link DIR-619L form_macfilter stack-based overflow | E | |
| CVE-2025-6116 | Das Parking Management System 停车场管理系统 API Search sql injection | E | |
| CVE-2025-6117 | Das Parking Management System 停车场管理系统 API Search sql injection | E | |
| CVE-2025-6118 | Das Parking Management System 停车场管理系统 API search sql injection | E | |
| CVE-2025-6119 | Open Asset Import Library Assimp BVHLoader.cpp ReadNodeChannels use after free | E | |
| CVE-2025-6120 | Open Asset Import Library Assimp HL1MDLLoader.cpp read_meshes heap-based overflow | E | |
| CVE-2025-6121 | D-Link DIR-632 HTTP POST Request get_pure_content stack-based overflow | E | |
| CVE-2025-6122 | code-projects Restaurant Order System table.php sql injection | E | |
| CVE-2025-6123 | code-projects Restaurant Order System payment.php sql injection | E | |
| CVE-2025-6124 | code-projects Restaurant Order System tablelow.php sql injection | E | |
| CVE-2025-6125 | PHPGurukul Rail Pass Management System aboutus.php cross site scripting | E | |
| CVE-2025-6126 | PHPGurukul Rail Pass Management System contact.php cross site scripting | E | |
| CVE-2025-6127 | PHPGurukul Nipah Virus Testing Management System search-report.php cross site scripting | E | |
| CVE-2025-6128 | TOTOLINK EX1200T HTTP POST Request formWirelessTbl buffer overflow | E | |
| CVE-2025-6129 | TOTOLINK EX1200T HTTP POST Request formSaveConfig buffer overflow | E | |
| CVE-2025-6130 | TOTOLINK EX1200T HTTP POST Request formStats buffer overflow | E | |
| CVE-2025-6131 | CodeAstro Food Ordering System POST Request Parameter edit cross site scripting | E M | |
| CVE-2025-6132 | Chanjet CRM departmentsetting.php sql injection | E | |
| CVE-2025-6133 | Projectworlds Life Insurance Management System insertagent.php sql injection | E | |
| CVE-2025-6134 | Projectworlds Life Insurance Management System insertClient.php sql injection | E | |
| CVE-2025-6135 | Projectworlds Life Insurance Management System insertNominee.php sql injection | E | |
| CVE-2025-6136 | Projectworlds Life Insurance Management System insertPayment.php sql injection | E | |
| CVE-2025-6137 | TOTOLINK T10 HTTP POST Request cstecgi.cgi setWiFiScheduleCfg buffer overflow | E | |
| CVE-2025-6138 | TOTOLINK T10 HTTP POST Request cstecgi.cgi setWizardCfg buffer overflow | E | |
| CVE-2025-6139 | TOTOLINK T10 shadow.sample hard-coded password | E | |
| CVE-2025-6140 | spdlog pattern_formatter-inl.h scoped_padder resource consumption | E S | |
| CVE-2025-6141 | GNU ncurses parse_entry.c postprocess_termcap stack-based overflow | S | |
| CVE-2025-6142 | Intera InHire server-side request forgery | E | |
| CVE-2025-6143 | TOTOLINK EX1200T HTTP POST Request formNtp buffer overflow | E | |
| CVE-2025-6144 | TOTOLINK EX1200T HTTP POST Request formSysCmd buffer overflow | E | |
| CVE-2025-6145 | TOTOLINK EX1200T HTTP POST Request formSysLog buffer overflow | E | |
| CVE-2025-6146 | TOTOLINK X15 HTTP POST Request formSysLog buffer overflow | E | |
| CVE-2025-6147 | TOTOLINK A702R HTTP POST Request formSysLog buffer overflow | E | |
| CVE-2025-6148 | TOTOLINK A3002RU HTTP POST Request formSysLog buffer overflow | E | |
| CVE-2025-6149 | TOTOLINK A3002R HTTP POST Request formSysLog buffer overflow | E | |
| CVE-2025-6150 | TOTOLINK X15 HTTP POST Request formMultiAP buffer overflow | E | |
| CVE-2025-6151 | TP-Link TL-WR940N, TL-WR841N WanSlaacCfgRpm.htm buffer overflow | E | |
| CVE-2025-6152 | Steel Browser files.routes.ts handleFileUpload path traversal | E S | |
| CVE-2025-6153 | PHPGurukul Hostel Management System students.php sql injection | E | |
| CVE-2025-6154 | PHPGurukul Hostel Management System login.inc.php sql injection | E | |
| CVE-2025-6155 | PHPGurukul Hostel Management System login-hm.inc.php sql injection | E | |
| CVE-2025-6156 | PHPGurukul Nipah Virus Testing Management System bwdates-report-ds.php sql injection | E | |
| CVE-2025-6157 | PHPGurukul Nipah Virus Testing Management System registered-user-testing.php sql injection | E | |
| CVE-2025-6158 | D-Link DIR-665 HTTP POST Request sub_AC78 stack-based overflow | E | |
| CVE-2025-6159 | code-projects Hostel Management System allocate_room.php sql injection | E | |
| CVE-2025-6160 | SourceCodester Client Database Management System user_customer_create_order.php sql injection | E | |
| CVE-2025-6161 | SourceCodester Simple Food Ordering System editproduct.php unrestricted upload | E | |
| CVE-2025-6162 | TOTOLINK EX1200T HTTP POST Request formMultiAP buffer overflow | E | |
| CVE-2025-6163 | TOTOLINK A3002RU HTTP POST Request formMultiAP buffer overflow | E | |
| CVE-2025-6164 | TOTOLINK A3002R HTTP POST Request formMultiAP buffer overflow | E | |
| CVE-2025-6165 | TOTOLINK X15 HTTP POST Request formTmultiAP buffer overflow | E | |
| CVE-2025-6166 | frdel Agent-Zero image_get.py image_get path traversal | S | |
| CVE-2025-6167 | themanojdesai python-a2a api.py create_workflow path traversal | E S | |
| CVE-2025-6168 | Incorrect Authorization in GitLab | E S | |
| CVE-2025-6169 | HAMASTAR Technology WIMP website co-construction management platform - SQL Injection | S | |
| CVE-2025-6170 | Libxml2: stack buffer overflow in xmllint interactive shell command handling | M | |
| CVE-2025-6172 | Permission vulnerability in the mobile application (com.afmobi.boomplayer) may lead to the risk of u... | | |
| CVE-2025-6173 | Webkul QloApps ajax_products_list.php sql injection | E | |
| CVE-2025-6174 | WordPress Qwizcards <= 3.9.4 - Reflected XSS | E | |
| CVE-2025-6175 | CRLF Injection in DECE Software's Geodi | | |
| CVE-2025-6177 | ChromeOS MiniOS Root Code Execution Bypass While Dev Mode Blocked | | |
| CVE-2025-6179 | ChromeOS Extension Disablement and Developer Mode Bypass via ExtHang3r and ExtPrint3r Exploits | E | |
| CVE-2025-6180 | Authentication Hijack | S | |
| CVE-2025-6181 | The StrongDM Windows service incorrectly handled input validation. Authenticated attackers could pot... | | |
| CVE-2025-6182 | Root Certificate Injection | | |
| CVE-2025-6183 | Configd Injection | | |
| CVE-2025-6184 | Tutor LMS Pro – eLearning and online course solution <= 3.7.0 - Authenticated (Tutor Instructor+) SQL Injection | | |
| CVE-2025-6185 | Leviton AcquiSuite and Energy Monitoring Hub Cross-site Scripting | M | |
| CVE-2025-6186 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab | E S | |
| CVE-2025-6187 | bSecure 1.3.7 - 1.7.9 - Missing Authorization to Unauthenticated Privilege Escalation via order_info REST Endpoint | | |
| CVE-2025-6188 | On affected platforms running Arista EOS, maliciously formed UDP packets with source port 3503 may be accepted by EOS. UDP Port 3503 is associated with LspPing Echo Reply. This can result in unexpected behaviors, especially for UDP based services that do n | S | |
| CVE-2025-6190 | Realty Portal – Agent <= 0.3.9 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via rp_user_profile() Function | | |
| CVE-2025-6191 | Integer overflow in V8 in Google Chrome prior to 137.0.7151.119 allowed a remote attacker to potenti... | | |
| CVE-2025-6192 | Use after free in Metrics in Google Chrome prior to 137.0.7151.119 allowed a remote attacker to pote... | | |
| CVE-2025-6193 | Trustyai-explainability: command injection via lmevaljob cr | | |
| CVE-2025-6196 | Libgepub: integer overflow in libgepub's epub archive handling | E M | |
| CVE-2025-6197 | An open redirect vulnerability has been identified in Grafana OSS organization switching functionali... | M | |
| CVE-2025-6199 | Gdk-pixbuf: uninitialized memory disclosure in gdkpixbuf gif lzw decoder | M | |
| CVE-2025-6200 | GeoDirectory < 2.8.120 - Contributor+ Stored XSS | E | |
| CVE-2025-6201 | Pixel Manager for WooCommerce (PRO) <= 1.49.0 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode | | |
| CVE-2025-6203 | Vault unauthenticated denial of service through complex json payload | | |
| CVE-2025-6204 | Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 | | |
| CVE-2025-6205 | Missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 | | |
| CVE-2025-6206 | Aiomatic - AI Content Writer, Editor, ChatBot & AI Toolkit <= 2.5.0 - Authenticated (Subscriber+) Arbitrary File Upload | | |
| CVE-2025-6207 | WP Import Export Lite <= 3.9.28 - Authenticated (Subscriber+) Arbitrary File Upload | S | |
| CVE-2025-6209 | Arbitrary File Read through Path Traversal in run-llama/llama_index | E S | |
| CVE-2025-6210 | Hardlink-Based Path Traversal in run-llama/llama_index | E S | |
| CVE-2025-6211 | MD5 Hash Collision in run-llama/llama_index | E S | |
| CVE-2025-6212 | Ultra Addons for Contact Form 7 3.5.11 - 3.5.19 - Unauthenticated Stored Cross-Site Scripting via Database module | S | |
| CVE-2025-6213 | Nginx Cache Purge Preload <= 2.1.1 - Authenticated (Administrator+) Remote Code Execution | | |
| CVE-2025-6214 | Omnishop <= 1.0.9 - Cross-Site Request Forgery to Arbitrary User Deletion via /users/delete REST Endpoint | | |
| CVE-2025-6215 | Omnishop <= 1.0.9 - Missing Registration Restriction to Unauthenticated Account Creation via /users/register REST Endpoint | | |
| CVE-2025-6216 | Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability | | |
| CVE-2025-6217 | PEAK-System Driver PCANFD_ADD_FILTERS Time-Of-Check Time-Of-Use Information Disclosure Vulnerability | | |
| CVE-2025-6218 | RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability | | |
| CVE-2025-6220 | Ultimate Addons for Contact Form 7 <= 3.5.12 - Authenticated (Administrator+) Arbitrary File Upload via 'save_options' | E S | |
| CVE-2025-6221 | Embed Bokun <= 0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter | | |
| CVE-2025-6222 | WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet <= 3.2.6 - Unauthenticated Arbitrary File Upload | | |
| CVE-2025-6224 | Key leakage in juju/utils certificates | | |
| CVE-2025-6226 | IDOR in CreatePost API allows for timeboxed message disclosure | S | |
| CVE-2025-6227 | Invite token is used as part of the secure communication | S | |
| CVE-2025-6228 | Sina Extension for Elementor <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Sina Posts`, `Sina Blog Post` and `Sina Table` Widgets | | |
| CVE-2025-6230 | A SQL injection vulnerability was reported in Lenovo Vantage that could allow a local attacker to mo... | S | |
| CVE-2025-6231 | An improper validation vulnerability was reported in Lenovo Vantage that under certain conditions co... | S | |
| CVE-2025-6232 | An improper validation vulnerability was reported in Lenovo Vantage that under certain conditions co... | S | |
| CVE-2025-6233 | Arbitrary file read by system admin via path traversal | S | |
| CVE-2025-6234 | Hostel < 1.1.5.8 - Reflected XSS | E | |
| CVE-2025-6235 | ExtremeControl (NAC) 'onmouseover' XSS | S | |
| CVE-2025-6236 | Hostel < 1.1.5.9 - Admin+ Stored XSS | E | |
| CVE-2025-6238 | AI Engine 2.8.4 - Insecure OAuth Implementation | S | |
| CVE-2025-6240 | Profisee Path Traversal Vulnerability | S | |
| CVE-2025-6241 | CVE-2025-6241 | | |
| CVE-2025-6244 | Essential Addons for Elementor – Popular Elementor Templates and Widgets <= 6.1.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Calendar` And `Business Reviews` Widgets | S | |
| CVE-2025-6247 | WordPress Automatic Plugin - AI content generator and auto poster plugin <= 3.118.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting | | |
| CVE-2025-6248 | A cross-site scripting (XSS) vulnerability was reported in the Lenovo Browser that could allow an at... | S | |
| CVE-2025-6249 | An authentication bypass vulnerability was reported in FileZ client application that could allow a l... | S | |
| CVE-2025-6250 | Privilege Management for Windows - Elevation of Privilege | | |
| CVE-2025-6252 | Qi Addons For Elementor <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting | S | |
| CVE-2025-6253 | UiCore Elements <= 1.3.0 - Missing Authorization to Unauthenticated Arbitrary File Read | | |
| CVE-2025-6255 | Dynamic AJAX Product Filters for WooCommerce <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter | | |
| CVE-2025-6256 | Flex Guten <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via thumbnailHoverEffect Parameter | | |
| CVE-2025-6257 | Euro FxRef Currency Converter <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via currency Shortcode | | |
| CVE-2025-6258 | WP SoundSystem <= 3.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpsstm-track Shortcode | | |
| CVE-2025-6259 | esri-map-view <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via esri-map-view Shortcode | | |
| CVE-2025-6260 | Network Thermostat X-Series WiFi Thermostats Missing Authentication for Critical Function | S | |
| CVE-2025-6261 | Fleetwire Fleet Management Plugin <= 1.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via fleetwire_list Shortcode | | |
| CVE-2025-6262 | muse.ai video embedding <= 0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via muse-ai Shortcode | | |
| CVE-2025-6264 | Velociraptor priviledge escalation via UpdateConfig artifact | M | |
| CVE-2025-6265 | A path traversal vulnerability in the file_upload-cgi CGI program of Zyxel NWA50AX PRO firmware vers... | | |
| CVE-2025-6266 | FLIR AX8 upload.php unrestricted upload | E | |
| CVE-2025-6267 | zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 barcodeDetail sql injection | | |
| CVE-2025-6268 | Luna Imaging search cross site scripting | | |
| CVE-2025-6269 | HDF5 H5Cimage.c H5C__reconstruct_cache_entry heap-based overflow | E | |
| CVE-2025-6270 | HDF5 H5FSsection.c H5FS__sect_find_node heap-based overflow | E | |
| CVE-2025-6271 | swftools wav2swf wav.c wav_convert2mono out-of-bounds | E | |
| CVE-2025-6272 | wasm3 m3_compile.c MarkSlotAllocated out-of-bounds write | E | |
| CVE-2025-6273 | WebAssembly wabt binary-reader-objdump.cc LogOpcode assertion | E | |
| CVE-2025-6274 | WebAssembly wabt binary-reader-interp.cc OnDataCount resource consumption | E | |
| CVE-2025-6275 | WebAssembly wabt binary-reader-interp.cc GetFuncOffset use after free | E | |
| CVE-2025-6276 | Brilliance Golden Link Secondary System rentTakeInfoPage.htm sql injection | E | |
| CVE-2025-6277 | Brilliance Golden Link Secondary System custTakeInfoPage.htm sql injection | E | |
| CVE-2025-6278 | Upsonic server.py os.path.join path traversal | E | |
| CVE-2025-6279 | Upsonic Pickle add_tool cloudpickle.loads deserialization | E | |
| CVE-2025-6280 | TransformerOptimus SuperAGI EmailToolKit read_email.py download_attachment path traversal | E | |
| CVE-2025-6281 | OpenBMB XAgent community path traversal | E | |
| CVE-2025-6282 | xlang-ai OpenAgents file.py create_upload_file path traversal | E | |
| CVE-2025-6283 | xataio Xata Agent route.ts GET path traversal | E S | |
| CVE-2025-6284 | PHPGurukul Car Rental Portal cross-site request forgery | E | |
| CVE-2025-6285 | PHPGurukul COVID19 Testing Management System search-report-result.php cross site scripting | | |
| CVE-2025-6286 | PHPGurukul COVID19 Testing Management System search-report-result.php redirect | | |
| CVE-2025-6287 | PHPGurukul COVID19 Testing Management System Take Action test-details.php cross site scripting | | |
| CVE-2025-6288 | PHPGurukul Bus Pass Management System Profile Page admin-profile.php cross site scripting | | |
| CVE-2025-6290 | Tournament Bracket Generator <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via bracket Shortcode | | |
| CVE-2025-6291 | D-Link DIR-825 HTTP POST Request do_file stack-based overflow | E | |
| CVE-2025-6292 | D-Link DIR-825 HTTP POST Request sub_4091AC stack-based overflow | E | |
| CVE-2025-6293 | code-projects Hostel Management System contact_manager.php sql injection | E | |
| CVE-2025-6294 | code-projects Hostel Management System contact.php sql injection | E | |
| CVE-2025-6295 | code-projects Hostel Management System allocated_rooms.php sql injection | E | |
| CVE-2025-6296 | code-projects Hostel Management System empty_rooms.php sql injection | E | |
| CVE-2025-6297 | dpkg-deb: Fix cleanup for control member with restricted directories | S | |
| CVE-2025-6299 | TOTOLINK N150RT formWSC os command injection | E | |
| CVE-2025-6300 | PHPGurukul Employee Record Management System editempeducation.php sql injection | E | |
| CVE-2025-6301 | PHPGurukul Notice Board System Add Notice manage-notices.php cross site scripting | | |
| CVE-2025-6302 | TOTOLINK EX1200T cstecgi.cgi setStaticDhcpConfig stack-based overflow | E | |
| CVE-2025-6303 | code-projects Online Shoe Store contactus1.php sql injection | E | |
| CVE-2025-6304 | code-projects Online Shoe Store cart.php sql injection | E | |
| CVE-2025-6305 | code-projects Online Shoe Store admin_feature.php sql injection | E | |
| CVE-2025-6306 | code-projects Online Shoe Store admin_index.php sql injection | E | |
| CVE-2025-6307 | code-projects Online Shoe Store edit_customer.php sql injection | E | |
| CVE-2025-6308 | PHPGurukul Emergency Ambulance Hiring Portal bwdates-request-report-details.php sql injection | E | |
| CVE-2025-6309 | PHPGurukul Emergency Ambulance Hiring Portal add-ambulance.php sql injection | E | |
| CVE-2025-6310 | PHPGurukul Emergency Ambulance Hiring Portal index.php sql injection | E | |
| CVE-2025-6311 | Campcodes Sales and Inventory System account_add.php sql injection | E | |
| CVE-2025-6312 | Campcodes Sales and Inventory System cash_transaction.php sql injection | E | |
| CVE-2025-6313 | Campcodes Sales and Inventory System cat_add.php sql injection | E | |
| CVE-2025-6314 | Campcodes Sales and Inventory System cat_update.php sql injection | E | |
| CVE-2025-6315 | code-projects Online Shoe Store cart2.php sql injection | E | |
| CVE-2025-6316 | code-projects Online Shoe Store admin_running.php sql injection | E | |
| CVE-2025-6317 | code-projects Online Shoe Store confirm.php sql injection | E | |
| CVE-2025-6318 | PHPGurukul Pre-School Enrollment System check_availability.php sql injection | E | |
| CVE-2025-6319 | PHPGurukul Pre-School Enrollment System add-teacher.php sql injection | E | |
| CVE-2025-6320 | PHPGurukul Pre-School Enrollment System add-class.php sql injection | E | |
| CVE-2025-6321 | PHPGurukul Pre-School Enrollment System add-subadmin.php sql injection | E | |
| CVE-2025-6322 | PHPGurukul Pre-School Enrollment System visit.php sql injection | E | |
| CVE-2025-6323 | PHPGurukul Pre-School Enrollment System enrollment.php sql injection | E | |
| CVE-2025-6328 | D-Link DIR-815 hedwig.cgi sub_403794 stack-based overflow | E | |
| CVE-2025-6329 | ScriptAndTools Real Estate Management System User Delete userdelete.php authorization | E | |
| CVE-2025-6330 | PHPGurukul Directory Management System searchdata.php sql injection | E | |
| CVE-2025-6331 | PHPGurukul Directory Management System search-directory.php sql injection | E | |
| CVE-2025-6332 | PHPGurukul Directory Management System manage-directory.php sql injection | E | |
| CVE-2025-6333 | PHPGurukul Directory Management System admin-profile.php sql injection | E | |
| CVE-2025-6334 | D-Link DIR-867 Query String strncpy stack-based overflow | E | |
| CVE-2025-6335 | DedeCMS Template dedetag.class.php command injection | E | |
| CVE-2025-6336 | TOTOLINK EX1200T HTTP POST Request formTmultiAP buffer overflow | E | |
| CVE-2025-6337 | TOTOLINK A3002R/A3002RU HTTP POST Request formTmultiAP buffer overflow | E | |
| CVE-2025-6339 | ponaravindb Hospital Management System func3.php sql injection | E | |
| CVE-2025-6340 | code-projects School Fees Payment System branch.php cross site scripting | E | |
| CVE-2025-6341 | code-projects School Fees Payment System cross-site request forgery | E | |
| CVE-2025-6342 | code-projects Online Shoe Store admin_football.php sql injection | E | |
| CVE-2025-6343 | code-projects Online Shoe Store admin_product.php sql injection | E | |
| CVE-2025-6344 | code-projects Online Shoe Store contactus.php sql injection | E | |
| CVE-2025-6345 | SourceCodester My Food Recipe Add Recipe Page add-recipe.php addRecipeModal cross site scripting | E | |
| CVE-2025-6346 | SourceCodester Advance Charity Management System fundDetails.php sql injection | E | |
| CVE-2025-6347 | code-projects Responsive Blog pageViewMembers.php cross site scripting | E | |
| CVE-2025-6348 | Smart Slider 3 <= 3.5.1.28 - Authenticated (Administrator+) SQL Injection via `sliderid` Parameter | | |
| CVE-2025-6350 | WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.32 - Authenticated (Contributor+) Stored Cross-Site Scripting | S | |
| CVE-2025-6351 | itsourcecode Employee Record Management System editprofile.php sql injection | E | |
| CVE-2025-6352 | code-projects Automated Voting System Backend vote.php direct request | E | |
| CVE-2025-6353 | code-projects Responsive Blog search.php cross site scripting | E | |
| CVE-2025-6354 | code-projects Online Shoe Store customer_signup.php sql injection | E | |
| CVE-2025-6355 | SourceCodester Online Hotel Reservation System execeditroom.php sql injection | E | |
| CVE-2025-6356 | code-projects Simple Pizza Ordering System addmem.php sql injection | E | |
| CVE-2025-6357 | code-projects Simple Pizza Ordering System paymentportal.php sql injection | E | |
| CVE-2025-6358 | code-projects Simple Pizza Ordering System saveorder.php sql injection | E | |
| CVE-2025-6359 | code-projects Simple Pizza Ordering System cashconfirm.php sql injection | E | |
| CVE-2025-6360 | code-projects Simple Pizza Ordering System portal.php sql injection | E | |
| CVE-2025-6361 | code-projects Simple Pizza Ordering System adds.php sql injection | E | |
| CVE-2025-6362 | code-projects Simple Pizza Ordering System editpro.php sql injection | E | |
| CVE-2025-6363 | code-projects Simple Pizza Ordering System adding-exec.php sql injection | E | |
| CVE-2025-6364 | code-projects Simple Pizza Ordering System adduser-exec.php sql injection | E | |
| CVE-2025-6365 | HobbesOSR Kitten pgtable.h set_pte_at resource consumption | E | |
| CVE-2025-6366 | Event List <= 2.0.4 - Authenticated (Subscriber+) Privilege Escalation | | |
| CVE-2025-6367 | D-Link DIR-619L formSetDomainFilter stack-based overflow | E | |
| CVE-2025-6368 | D-Link DIR-619L formSetEmail stack-based overflow | E | |
| CVE-2025-6369 | D-Link DIR-619L formdumpeasysetup stack-based overflow | E | |
| CVE-2025-6370 | D-Link DIR-619L formWlanGuestSetup stack-based overflow | E | |
| CVE-2025-6371 | D-Link DIR-619L formSetEnableWizard stack-based overflow | E | |
| CVE-2025-6372 | D-Link DIR-619L formSetWizard1 stack-based overflow | E | |
| CVE-2025-6373 | D-Link DIR-619L formWlSiteSurvey formSetWizard1 stack-based overflow | E | |
| CVE-2025-6374 | D-Link DIR-619L formSetACLFilter stack-based overflow | E | |
| CVE-2025-6375 | poco MultipartReader.cpp MultipartInputStream null pointer dereference | E S | |
| CVE-2025-6376 | Arena® Simulation Out-Of-Bounds Write Remote Code Execution Vulnerability | S | |
| CVE-2025-6377 | Arena® Simulation Out-Of-Bounds Write Remote Code Execution Vulnerability | S | |
| CVE-2025-6378 | Responsive Food and Drink Menu <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via display_pdf_menus Shortcode | | |
| CVE-2025-6379 | BeeTeam368 Extensions Pro <= 2.3.4 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Deletion | | |
| CVE-2025-6380 | ONLYOFFICE Docs 1.1.0 - 2.2.0 - Missing Authorization to Unauthenticated Privilege Escalation via callback Function | | |
| CVE-2025-6381 | BeeTeam368 Extensions <= 2.3.4 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Deletion | | |
| CVE-2025-6382 | Taeggie Feed <= 0.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Attribute | | |
| CVE-2025-6383 | WP-PhotoNav <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via photonav Shortcode | | |
| CVE-2025-6384 | Improper Control of Dynamically-Managed Code Resources in Crafter Studio | | |
| CVE-2025-6385 | WP Applink <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter | | |
| CVE-2025-6386 | Timing Attack Vulnerability in parisneo/lollms | | |
| CVE-2025-6387 | WP Get The Table <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter | | |
| CVE-2025-6390 | Cleartext storage of sensitive information in Brocade SANnav server audit logs. | | |
| CVE-2025-6391 | JSON Web Token (JWT) Exposure in Log Files | | |
| CVE-2025-6392 | Daily Data Dump Collector logs database password in cleartext when running docker exec commands (CVE-2025-6392) | | |
| CVE-2025-6393 | TOTOLINK A702R/A3002R/A3002RU/EX1200T HTTP POST Request formIPv6Addr buffer overflow | E | |
| CVE-2025-6394 | code-projects Simple Online Hotel Reservation System add_reserve.php sql injection | E | |
| CVE-2025-6395 | Gnutls: null pointer dereference in _gnutls_figure_common_ciphersuite() | M | |
| CVE-2025-6398 | A null pointer dereference vulnerability exists in the IOMap64.sys driver of ASUS AI Suite 3. The vu... | | |
| CVE-2025-6399 | TOTOLINK X15 HTTP POST Request formIPv6Addr buffer overflow | E | |
| CVE-2025-6400 | TOTOLINK N300RH HTTP POST Message formPortFw buffer overflow | E | |
| CVE-2025-6401 | TOTOLINK N300RH HTTP POST Message formFilter denial of service | E | |
| CVE-2025-6402 | TOTOLINK X15 HTTP POST Request formIpv6Setup buffer overflow | E | |
| CVE-2025-6403 | code-projects School Fees Payment System student.php sql injection | E | |
| CVE-2025-6404 | Campcodes Online Teacher Record Management System search.php sql injection | E | |
| CVE-2025-6405 | Campcodes Online Teacher Record Management System edit-teacher-detail.php sql injection | E | |
| CVE-2025-6406 | Campcodes Online Hospital Management System forgot-password.php sql injection | E | |
| CVE-2025-6407 | Campcodes Online Hospital Management System user-login.php sql injection | E | |
| CVE-2025-6408 | Campcodes Online Hospital Management System search.php sql injection | E | |
| CVE-2025-6409 | PHPGurukul Art Gallery Management System forgot-password.php sql injection | E | |
| CVE-2025-6410 | PHPGurukul Art Gallery Management System edit-art-medium-detail.php sql injection | E | |
| CVE-2025-6411 | PHPGurukul Art Gallery Management System changepropic.php sql injection | E | |
| CVE-2025-6412 | PHPGurukul Art Gallery Management System changeimage.php sql injection | E | |
| CVE-2025-6413 | PHPGurukul Art Gallery Management System changeimage1.php sql injection | E | |
| CVE-2025-6414 | PHPGurukul Art Gallery Management System changeimage2.php sql injection | E | |
| CVE-2025-6415 | PHPGurukul Art Gallery Management System changeimage3.php sql injection | E | |
| CVE-2025-6416 | PHPGurukul Art Gallery Management System changeimage4.php sql injection | E | |
| CVE-2025-6417 | PHPGurukul Art Gallery Management System add-artist.php sql injection | E | |
| CVE-2025-6418 | code-projects Simple Online Hotel Reservation System edit_query_account.php sql injection | E | |
| CVE-2025-6419 | code-projects Simple Online Hotel Reservation System edit_room.php sql injection | E | |
| CVE-2025-6420 | code-projects Simple Online Hotel Reservation System add_room.php sql injection | E | |
| CVE-2025-6421 | code-projects Simple Online Hotel Reservation System add_account.php sql injection | E | |
| CVE-2025-6422 | Campcodes Online Recruitment Management System About Content Page ajax.php unrestricted upload | E | |
| CVE-2025-6423 | BeeTeam368 Extensions <= 2.3.5 - Authenticated (Subscriber+) Arbitrary File Upload | | |
| CVE-2025-6424 | A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affe... | | |
| CVE-2025-6425 | An attacker who enumerated resources from the WebCompat extension could have obtained a persistent U... | | |
| CVE-2025-6426 | The executable file warning did not warn users before opening files with the `terminal` extension. ... | | |
| CVE-2025-6427 | An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulat... | | |
| CVE-2025-6428 | When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL i... | E | |
| CVE-2025-6429 | Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing ... | | |
| CVE-2025-6430 | When a file download is specified via the `Content-Disposition` header, that directive would be igno... | | |
| CVE-2025-6431 | When a link can be opened in an external application, Firefox for Android will, by default, prompt t... | | |
| CVE-2025-6432 | When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the d... | | |
| CVE-2025-6433 | If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage w... | | |
| CVE-2025-6434 | The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked a... | | |
| CVE-2025-6435 | If a user saved a response from the Network tab in Devtools using the Save As context menu option, t... | | |
| CVE-2025-6436 | Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of... | | |
| CVE-2025-6437 | Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated SQL Injection via oid | | |
| CVE-2025-6438 | A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that co... | | |
| CVE-2025-6441 | Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition <= 4.03.31 - Unauthenticated Login Token Generation to Authentication Bypass | | |
| CVE-2025-6442 | Ruby WEBrick read_header HTTP Request Smuggling Vulnerability | S | |
| CVE-2025-6443 | Mikrotik RouterOS VXLAN Source IP Improper Access Control Vulnerability | | |
| CVE-2025-6444 | ServiceStack GetErrorResponse Improper Input Validation NTLM Relay Vulnerability | | |
| CVE-2025-6445 | ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability | | |
| CVE-2025-6446 | code-projects Client Details System index.php sql injection | E | |
| CVE-2025-6447 | code-projects Simple Online Hotel Reservation System index.php sql injection | E | |
| CVE-2025-6448 | code-projects Simple Online Hotel Reservation System delete_room.php sql injection | E | |
| CVE-2025-6449 | code-projects Simple Online Hotel Reservation System checkout_query.php sql injection | E | |
| CVE-2025-6450 | code-projects Simple Online Hotel Reservation System confirm_reserve.php sql injection | E | |
| CVE-2025-6451 | code-projects Simple Online Hotel Reservation System delete_pending.php sql injection | E | |
| CVE-2025-6452 | CodeAstro Patient Record Management System Generate New Report Page cross site scripting | E M | |
| CVE-2025-6453 | diyhi bbs API ForumManageAction.java add path traversal | E | |
| CVE-2025-6455 | code-projects Online Hotel Reservation System messageexec.php sql injection | E | |
| CVE-2025-6456 | code-projects Online Hotel Reservation System order.php sql injection | E | |
| CVE-2025-6457 | code-projects Online Hotel Reservation System demo.php sql injection | E | |
| CVE-2025-6458 | code-projects Online Hotel Reservation System execedituser.php sql injection | E | |
| CVE-2025-6459 | Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Cross-Site Request Forgery to PHP Code Injection in bsaCreateAdTemplate | | |
| CVE-2025-6462 | EZ SQL Reports Shortcode Widget and DB Backup <= 5.25.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via SQLREPORT Shortcode | S | |
| CVE-2025-6463 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion | S | |
| CVE-2025-6464 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion | S | |
| CVE-2025-6465 | Path traversal in image upload with preview overwrite | S | |
| CVE-2025-6466 | ageerle ruoyi-ai SseServiceImpl.java upload unrestricted upload | E S | |
| CVE-2025-6467 | code-projects Online Bidding System login.php sql injection | E | |
| CVE-2025-6468 | code-projects Online Bidding System bidnow.php sql injection | E | |
| CVE-2025-6469 | code-projects Online Bidding System details.php sql injection | E | |
| CVE-2025-6470 | code-projects Online Bidding System bidlog.php sql injection | E | |
| CVE-2025-6471 | code-projects Online Bidding System administrator sql injection | E | |
| CVE-2025-6472 | code-projects Online Bidding System showprod.php sql injection | E | |
| CVE-2025-6473 | code-projects School Fees Payment System fees.php cross site scripting | E | |
| CVE-2025-6474 | code-projects Inventory Management System changeUsername.php sql injection | E | |
| CVE-2025-6475 | SourceCodester Student Result Management System Manage Students Module manage_students cross site scripting | E | |
| CVE-2025-6476 | SourceCodester Gym Management System cross-site request forgery | E | |
| CVE-2025-6477 | SourceCodester Student Result Management System System Settings Page system cross site scripting | E | |
| CVE-2025-6478 | CodeAstro Expense Management System cross-site request forgery | | |
| CVE-2025-6479 | code-projects Simple Pizza Ordering System salesreport.php sql injection | E | |
| CVE-2025-6480 | code-projects Simple Pizza Ordering System addcatexec.php sql injection | E | |
| CVE-2025-6481 | code-projects Simple Pizza Ordering System update.php sql injection | E | |
| CVE-2025-6482 | code-projects Simple Pizza Ordering System edituser-exec.php sql injection | E | |
| CVE-2025-6483 | code-projects Simple Pizza Ordering System edituser.php sql injection | E | |
| CVE-2025-6484 | code-projects Online Shopping Store action.php sql injection | E | |
| CVE-2025-6485 | TOTOLINK A3002R formWlSiteSurvey os command injection | E | |
| CVE-2025-6486 | TOTOLINK A3002R formWlanMultipleAP stack-based overflow | E | |
| CVE-2025-6487 | TOTOLINK A3002R formRoute stack-based overflow | E | |
| CVE-2025-6488 | isMobile <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via device Parameter | | |
| CVE-2025-6489 | itsourcecode Agri-Trading Online Shopping System transactionsave.php sql injection | E | |
| CVE-2025-6490 | sparklemotion nokogiri hashmap.c hashmap_set_with_hash heap-based overflow | E S | |
| CVE-2025-6491 | NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix | E | |
| CVE-2025-6492 | MarkText index.js getRecommendTitleFromMarkdownString redos | E | |
| CVE-2025-6493 | CodeMirror Markdown Mode markdown.js redos | E | |
| CVE-2025-6494 | sparklemotion nokogiri hashmap.c hashmap_get_with_hash heap-based overflow | E S | |
| CVE-2025-6495 | Bricks Builder <= 1.12.4 - Unauthenticated SQL Injection via `p` Parameter | | |
| CVE-2025-6496 | HTACG tidy-html5 parser.c InsertNodeAsParent null pointer dereference | E | |
| CVE-2025-6497 | HTACG tidy-html5 parser.c prvTidyParseNamespace assertion | E | |
| CVE-2025-6498 | HTACG tidy-html5 alloc.c defaultAlloc memory leak | E | |
| CVE-2025-6499 | vstakhov libucl ucl_parser.c ucl_parse_multiline_string heap-based overflow | E | |
| CVE-2025-6500 | code-projects Inventory Management System editCategories.php sql injection | E | |
| CVE-2025-6501 | code-projects Inventory Management System createCategories.php sql injection | E | |
| CVE-2025-6502 | code-projects Inventory Management System changePassword.php sql injection | E | |
| CVE-2025-6503 | code-projects Inventory Management System fetchSelectedCategories.php sql injection | E | |
| CVE-2025-6504 | Possibilities of IP Spoofing via X-Forwarded-For (XFF) Header | S | |
| CVE-2025-6505 | Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Softwar... | S | |
| CVE-2025-6509 | seaswalker spring-analysis SimpleController.java echo cross site scripting | E | |
| CVE-2025-6510 | Netgear EX6100 sub_415EF8 stack-based overflow | E | |
| CVE-2025-6511 | Netgear EX6150 sub_410090 stack-based overflow | E | |
| CVE-2025-6512 | Scripts within reports executable on BRAIN2 Server | S | |
| CVE-2025-6513 | BRAIN2 Configuration file for database access not sufficiently secured | S | |
| CVE-2025-6514 | OS command injection in mcp-remote when connecting to untrusted MCP servers | S | |
| CVE-2025-6516 | HDF5 H5Fint.c H5F_addr_decode_len heap-based overflow | E | |
| CVE-2025-6517 | Dromara MaxKey Meta URL SAML20DetailsController.java add server-side request forgery | E | |
| CVE-2025-6518 | PySpur-Dev pyspur Jinja2 Template single_llm_call.py SingleLLMCallNode special elements used in a template engine | E | |
| CVE-2025-6521 | TrendMakers Sight Bulb Pro Use of a Broken or Risky Cryptographic Algorithm | M | |
| CVE-2025-6522 | TrendMakers Sight Bulb Pro Command Injection | M | |
| CVE-2025-6523 | Use of weak credentials in emergency authentication component in Devolutions Server allows an unauth... | | |
| CVE-2025-6524 | 70mai 1S Video Services improper authentication | E | |
| CVE-2025-6525 | 70mai 1S Configuration Config.cgi improper authorization | E | |
| CVE-2025-6526 | 70mai M300 HTTP Server insufficiently protected credentials | E | |
| CVE-2025-6527 | 70mai M300 Web Server access control | E | |
| CVE-2025-6528 | 70mai M300 RTSP Live Video Stream Endpoint 12 improper authentication | E | |
| CVE-2025-6529 | 70mai M300 Telnet Service default credentials | E | |
| CVE-2025-6530 | 70mai M300 Telnet Service demo.sh denial of service | E | |
| CVE-2025-6531 | SIFUSM/MZZYG BD S1 RTSP Live Video Stream Endpoint access control | E | |
| CVE-2025-6532 | NOYAFA/Xiami LF9 Pro RTSP Live Video Stream Endpoint access control | E | |
| CVE-2025-6533 | xxyopen/201206030 novel-plus CATCHA LoginController.java ajaxLogin authentication replay | E | |
| CVE-2025-6534 | xxyopen/201206030 novel-plus File FileController.java remove resource injection | E | |
| CVE-2025-6535 | xxyopen/201206030 novel-plus User Management Module UserMapper.xml list sql injection | E | |
| CVE-2025-6536 | Tarantool datetime.c tm_to_datetime assertion | E | |
| CVE-2025-6537 | Namasha By Mdesign <= 1.2.00 - Authenticated (Contributor+) Stored Cross-Site Scripting via playicon_title Parameter | | |
| CVE-2025-6538 | Post Rating and Review <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter | | |
| CVE-2025-6539 | Voltax Video Player <= 1.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter | | |
| CVE-2025-6540 | web-cam <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via slug Parameter | | |
| CVE-2025-6543 | Memory overflow vulnerability leading to unintended control flow and Denial of Service | KEV | |
| CVE-2025-6545 | pbkdf2 silently returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos supported by Node.js | S | |
| CVE-2025-6546 | Drive Folder Embedder <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via tablecssclass Parameter | | |
| CVE-2025-6547 | On Node.js < 3, pbkdf2 silently disregards Uint8Array input, returning static keys | S | |
| CVE-2025-6549 | Junos OS: SRX Series: J-Web can be exposed on additional interfaces | S | |
| CVE-2025-6550 | The Pack Elementor addon <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting | | |
| CVE-2025-6551 | java-aodeng Hope-Boot WebController.java login cross site scripting | E | |
| CVE-2025-6552 | java-aodeng Hope-Boot Login WebController.java doLogin redirect | E | |
| CVE-2025-6554 | Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform ar... | KEV | |
| CVE-2025-6555 | Use after free in Animation in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to pot... | | |
| CVE-2025-6556 | Insufficient policy enforcement in Loader in Google Chrome prior to 138.0.7204.49 allowed a remote a... | | |
| CVE-2025-6557 | Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed ... | | |
| CVE-2025-6558 | Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157... | KEV | |
| CVE-2025-6559 | Sapido Wireless Router - OS Command Injection | | |
| CVE-2025-6560 | Sapido Wireless Router - Exposure of Sensitive Information | | |
| CVE-2025-6561 | Hunt Electronic Hybrid DVR - Exposure of Sensitive System Information | S | |
| CVE-2025-6562 | Hunt Electronic Hybrid DVR - OS Command Injection | S | |
| CVE-2025-6563 | Cross-site scripting via dst parameter in RouterOS WiFi hotspot | E | |
| CVE-2025-6565 | Netgear WNCE3001 HTTP POST Request http_d stack-based overflow | E | |
| CVE-2025-6566 | oatpp Oat++ Deserializer.cpp deserializeArray stack-based overflow | E | |
| CVE-2025-6567 | Campcodes Online Recruitment Management System view_application.php sql injection | E | |
| CVE-2025-6568 | TOTOLINK EX1200T HTTP POST Request formIpv6Setup buffer overflow | E | |
| CVE-2025-6569 | code-projects School Fees Payment System student.php cross site scripting | E | |
| CVE-2025-6570 | PHPGurukul Hospital Management System search.php sql injection | E | |
| CVE-2025-6572 | OpenStreetMap for Gutenberg and WPBakery Page Builder <= 1.2.0 - Contributor+ Stored XSS | E | |
| CVE-2025-6573 | GPU DDK - RGXFW_CTL.pui8FWScratchBuf Leak/Overwrite | | |
| CVE-2025-6578 | code-projects Simple Online Hotel Reservation System delete_account.php sql injection | E | |
| CVE-2025-6579 | code-projects Car Rental System message_admin.php sql injection | E | |
| CVE-2025-6580 | SourceCodester Best Salon Management System Login sql injection | E | |
| CVE-2025-6581 | SourceCodester Best Salon Management System add-customer.php sql injection | E | |
| CVE-2025-6582 | SourceCodester Best Salon Management System edit-customer-detailed.php sql injection | E | |
| CVE-2025-6583 | SourceCodester Best Salon Management System view-appointment.php sql injection | E | |
| CVE-2025-6585 | WP JobHunt <= 7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Account Deletion | | |
| CVE-2025-6586 | Download Plugin <= 2.2.8 - Authenticated (Administrator+) Arbitrary File Upload | | |
| CVE-2025-6587 | Exposure of system environment variables in Docker Desktop diagnostic logs | | |
| CVE-2025-6588 | FunnelCockpit <= 1.4.2 - Reflected Cross-Site Scripting via `error` Parameter | | |
| CVE-2025-6600 | GitHub Enterprise Server Information Disclosure Vulnerability Exposes Private Repository Names via Search API | | |
| CVE-2025-6603 | coldfunction qCUDA qcow.c qcow_make_empty integer overflow | | |
| CVE-2025-6604 | SourceCodester Best Salon Management System add-staff.php sql injection | E | |
| CVE-2025-6605 | SourceCodester Best Salon Management System edit-staff.php sql injection | E | |
| CVE-2025-6606 | SourceCodester Best Salon Management System add-services.php sql injection | E | |
| CVE-2025-6607 | SourceCodester Best Salon Management System stock.php sql injection | E | |
| CVE-2025-6608 | SourceCodester Best Salon Management System edit-services.php sql injection | E | |
| CVE-2025-6609 | SourceCodester Best Salon Management System bwdates-reports-details.php sql injection | E | |
| CVE-2025-6610 | itsourcecode Employee Management System editempprofile.php sql injection | E | |
| CVE-2025-6611 | code-projects Inventory Management System createBrand.php sql injection | E | |
| CVE-2025-6612 | code-projects Inventory Management System removeCategories.php sql injection | E | |
| CVE-2025-6613 | PHPGurukul Hospital Management System manage-patient.php cross site scripting | E | |
| CVE-2025-6614 | D-Link DIR-619L formSetWANType_Wizard5 stack-based overflow | E | |
| CVE-2025-6615 | D-Link DIR-619L formAutoDetecWAN_wizard4 stack-based overflow | E | |
| CVE-2025-6616 | D-Link DIR-619L formSetWAN_Wizard51 stack-based overflow | E | |
| CVE-2025-6617 | D-Link DIR-619L formAdvanceSetup stack-based overflow | E | |
| CVE-2025-6618 | TOTOLINK CA300-PoE wps.so SetWLanApcliSettings os command injection | E | |
| CVE-2025-6619 | TOTOLINK CA300-PoE upgrade.so setUpgradeFW os command injection | E | |
| CVE-2025-6620 | TOTOLINK CA300-PoE upgrade.so setUpgradeUboot os command injection | E | |
| CVE-2025-6621 | TOTOLINK CA300-PoE ap.so QuickSetting os command injection | E | |
| CVE-2025-6624 | Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information in... | S | |
| CVE-2025-6625 | CWE-20: Improper Input Validation vulnerability exists that could cause a Denial Of Service when spe... | | |
| CVE-2025-6626 | ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization <= 3.10.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via API URL | | |
| CVE-2025-6627 | TOTOLINK A702R HTTP POST Request formIpv6Setup buffer overflow | E | |
| CVE-2025-6631 | PRT File Parsing Out-of-Bounds Write Vulnerability | S | |
| CVE-2025-6632 | PSD File Parsing Out-of-Bounds Read Vulnerability | S | |
| CVE-2025-6633 | RBG File Parsing Out-of-Bounds Write Vulnerability | S | |
| CVE-2025-6634 | TGA File Parsing Memory Corruption Vulnerability | S | |
| CVE-2025-6635 | PRT File Parsing Out-of-Bounds Read Vulnerability | S | |
| CVE-2025-6636 | PRT File Parsing Use-After-Free Vulnerability | S | |
| CVE-2025-6637 | PRT File Parsing Out-of-Bounds Write Vulnerability | S | |
| CVE-2025-6640 | PDF-XChange Editor U3D File Parsing Use-After-Free Remote Code Execution Vulnerability | | |
| CVE-2025-6641 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | | |
| CVE-2025-6642 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability | | |
| CVE-2025-6643 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | | |
| CVE-2025-6644 | PDF-XChange Editor U3D File Parsing Use-After-Free Remote Code Execution Vulnerability | | |
| CVE-2025-6645 | PDF-XChange Editor U3D File Parsing Use-After-Free Remote Code Execution Vulnerability | | |
| CVE-2025-6646 | PDF-XChange Editor U3D File Parsing Use-After-Free Information Disclosure Vulnerability | | |
| CVE-2025-6647 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability | | |
| CVE-2025-6648 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | | |
| CVE-2025-6649 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | | |
| CVE-2025-6650 | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | | |
| CVE-2025-6651 | PDF-XChange Editor JP2 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability | | |
| CVE-2025-6652 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | | |
| CVE-2025-6653 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | | |
| CVE-2025-6654 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability | | |
| CVE-2025-6655 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | | |
| CVE-2025-6656 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | | |
| CVE-2025-6657 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | | |
| CVE-2025-6658 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | | |
| CVE-2025-6659 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability | | |
| CVE-2025-6660 | PDF-XChange Editor GIF File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability | | |
| CVE-2025-6661 | PDF-XChange Editor App Object Use-After-Free Remote Code Execution Vulnerability | | |
| CVE-2025-6662 | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability | | |
| CVE-2025-6663 | GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability | S | |
| CVE-2025-6664 | CodeAstro Patient Record Management System cross-site request forgery | E | |
| CVE-2025-6665 | code-projects Inventory Management System editBrand.php sql injection | E | |
| CVE-2025-6667 | code-projects Car Rental System add_cars.php unrestricted upload | E | |
| CVE-2025-6668 | code-projects Inventory Management System fetchSelectedBrand.php sql injection | E | |
| CVE-2025-6669 | gooaclok819 sublinkX jwt.go hard-coded key | E S | |
| CVE-2025-6673 | Easy restaurant menu manager <= 2.0.1 - Authenticated (Contributot+) Stored Cross-Site Scripting via `nsc_eprm_menu_link` Shortcode | | |
| CVE-2025-6674 | CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081 | | |
| CVE-2025-6675 | Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082 | | |
| CVE-2025-6676 | Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083 | | |
| CVE-2025-6677 | Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084 | | |
| CVE-2025-6678 | Autel MaxiCharger AC Wallbox Commercial PIN Missing Authentication Information Disclosure Vulnerability | | |
| CVE-2025-6679 | Contact Form by Bit Form - Bit Form <= 2.20.3 - Unauthenticated Arbitrary File Upload | | |
| CVE-2025-6681 | Fan Page <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter | | |
| CVE-2025-6686 | Magic Buttons for Elementor <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via magic-button Shortcode | | |
| CVE-2025-6687 | Magic Buttons for Elementor <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via magic-button Shortcode | | |
| CVE-2025-6688 | Simple Payment 1.3.6 - 2.3.8 - Authentication Bypass to Admin | S | |
| CVE-2025-6689 | FL3R Accessibility Suite <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via fl3raccessibilitysuite Shortcode | | |
| CVE-2025-6690 | WP Tournament Registration <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via field Parameter | | |
| CVE-2025-6691 | SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Submission Deletion | S | |
| CVE-2025-6692 | YouTube Embed <= 10.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via instance Parameter | | |
| CVE-2025-6693 | RT-Thread device.c sys_device_write memory corruption | E | |
| CVE-2025-6694 | LabRedesCefetRJ WeGIA Adicionar Unidade adicionar_unidade.php cross site scripting | E | |
| CVE-2025-6695 | LabRedesCefetRJ WeGIA Additional Categoria adicionar_categoria.php cross site scripting | E | |
| CVE-2025-6696 | LabRedesCefetRJ WeGIA Cadastro de Atendio Cadastro_Atendido.php cross site scripting | E | |
| CVE-2025-6697 | LabRedesCefetRJ WeGIA Adicionar tipo adicionar_tipoEntrada.php cross site scripting | E | |
| CVE-2025-6698 | LabRedesCefetRJ WeGIA Adicionar tipo adicionar_tipoSaida.php cross site scripting | E | |
| CVE-2025-6699 | LabRedesCefetRJ WeGIA Cadastro de Funcionário cadastro_funcionario.php cross site scripting | E | |
| CVE-2025-6700 | Xuxueli xxl-sso login cross site scripting | E | |
| CVE-2025-6701 | Xuxueli xxl-sso doLogin redirect | E | |
| CVE-2025-6702 | linlinjava litemall post improper authorization | E | |
| CVE-2025-6703 | transport/fc.rs: panic attempting to send MAX_DATA with value larger max varint | | |
| CVE-2025-6704 | An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall ... | | |
| CVE-2025-6705 | A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed un... | S | |
| CVE-2025-6706 | Running certain aggregation operations with the SBE engine may lead to unexpected behavior on MongoDB Server | | |
| CVE-2025-6707 | Race condition in privilege cache invalidation cycle | | |
| CVE-2025-6709 | Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication | | |
| CVE-2025-6710 | Pre-authentication Denial of Service Stack Overflow Vulnerability in JSON Parsing via Excessive Recursion in MongoDB | | |
| CVE-2025-6711 | Incomplete Redaction of Sensitive Information in MongoDB Server Logs | | |
| CVE-2025-6712 | MongoDB Server may be susceptible to DoS due to Accumulated Memory Allocation | | |
| CVE-2025-6713 | MongoDB Server may be susceptible to privilege escalation due to $mergeCursors stage | | |
| CVE-2025-6714 | Incorrect Handling of incomplete data may prevent mongoS from Accepting New Connections | | |
| CVE-2025-6715 | Latepoint < 5.1.94 - Unauthenticated LFI | E | |
| CVE-2025-6716 | Contest Gallery <= 26.0.8 - Authenticated (Author+) Stored Cross-Site Scripting | | |
| CVE-2025-6717 | B1.lt for WooCommerce <= 2.2.56 - Authenticated (Subscriber+) SQL Injection | | |
| CVE-2025-6718 | B1.lt for WooCommerce <= 2.2.56 - Missing Authorization to Authenticated (Subscriber+) Arbitrary SQL Injection | | |
| CVE-2025-6719 | Terms descriptions <= 3.4.8 - Authenticated (Admin+) Stored Cross-Site Scripting | | |
| CVE-2025-6720 | Vchasno Kasa <= 1.0.3 - Unauthenticated Log File Clearing | | |
| CVE-2025-6721 | Vchasno Kasa <= 1.0.3 - Missing Authorization to Unauthenticated Invoice Generation | | |
| CVE-2025-6722 | BitFire <= 4.5 - Unauthenticated Information Exposure | | |
| CVE-2025-6725 | Cross-Site Scripting (XSS) in PdfViewer | | |
| CVE-2025-6726 | Block Editor Gallery Slider <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Limited Post Meta Update | | |
| CVE-2025-6729 | PayMaster for WooCommerce <= 0.4.31 - Authenticated (Subscriber+) Server-Side Request Forgery | | |
| CVE-2025-6730 | Bonanza – WooCommerce Free Gifts Lite <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Opt In Success | | |
| CVE-2025-6731 | yzcheng90 X-SpringBoot APK File apk uploadApk path traversal | E | |
| CVE-2025-6732 | UTT HiPER 840G API setSysAdm strcpy buffer overflow | E | |
| CVE-2025-6733 | UTT HiPER 840G API formConfigDnsFilterGlobal sub_416928 buffer overflow | E | |
| CVE-2025-6734 | UTT HiPER 840G API formP2PLimitConfig sub_484E40 buffer overflow | E | |
| CVE-2025-6735 | juzaweb CMS Import Page imports improper authorization | E | |
| CVE-2025-6736 | juzaweb CMS Add New Themes Page install improper authorization | E | |
| CVE-2025-6737 | Securden Unified PAM Shared SSH Key and Cloud Infrastructure | | |
| CVE-2025-6738 | huija bicycleSharingServer UserServiceImpl.java userDao.selectUserByUserNameLike sql injection | E | |
| CVE-2025-6739 | WPQuiz <= 0.4.2 - Authenticated (Contributor+) SQL Injection | | |
| CVE-2025-6740 | Contact Form 7 Database Addon <= 1.3.1 - Unauthenticated Stored Cross-Site Scripting via tmpD Parameter | S | |
| CVE-2025-6741 | Improper access control in secure message component in Devolutions Server allows an authenticated us... | | |
| CVE-2025-6742 | SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) Triggered via Admin Submission Deletion | S | |
| CVE-2025-6743 | WoodMart <= 8.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting | | |
| CVE-2025-6744 | Woodmart <= 8.2.3 - Unauthenticated Arbitrary Shortcode Execution | | |
| CVE-2025-6745 | WoodMart <= 8.2.5 - Unauthenticated Post Disclosure | | |
| CVE-2025-6746 | WoodMart <= 8.2.3 - Authenticated (Contributor+) Local File Inclusion | | |
| CVE-2025-6747 | Avada (Fusion) Builder <= 3.12.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode | | |
| CVE-2025-6748 | Bharti Airtel Thanks App files cleartext storage in a file or on disk | E | |
| CVE-2025-6749 | huija bicycleSharingServer AdminController.java searchAdminMessageShow sql injection | E | |
| CVE-2025-6750 | HDF5 H5Omtime.c H5O__mtime_new_encode heap-based overflow | E | |
| CVE-2025-6751 | Linksys E8450 HTTP POST Request portal.cgi set_device_language buffer overflow | E | |
| CVE-2025-6752 | Linksys WRT1900ACS/EA7200/EA7450/EA7500 IGD Layer3Forwarding SetDefaultConnectionService stack-based overflow | E | |
| CVE-2025-6753 | huija bicycleSharingServer AdminController.java selectAdminByNameLike sql injection | E | |
| CVE-2025-6754 | SEO Metrics <= 1.0.5 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation | | |
| CVE-2025-6755 | Game Users Share Buttons <= 1.3.0 - Authenticated (Subscriber+) Arbitrary File Deletion via themeNameId Parameter | | |
| CVE-2025-6756 | Ultra Addons for Contact Form 7 <= 3.5.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via UACF7_CUSTOM_FIELDS Shortcode | S | |
| CVE-2025-6758 | Real Spaces - WordPress Properties Directory Theme <= 3.6 - Unauthenticated Privilege Escalation to Administrator via 'imic_agent_register' | | |
| CVE-2025-6759 | Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges | | |
| CVE-2025-6761 | Kingdee Cloud-Starry-Sky Enterprise Edition Freemarker Engine DynamicForm 4 Action.class plugin.buildMobilePopHtml special elements used in a template engine | S | |
| CVE-2025-6762 | diyhi bbs HTTP Header login getUrl server-side request forgery | E | |
| CVE-2025-6763 | Comet System H3531 Web-based Management Interface setupA.cfg missing authentication | E | |
| CVE-2025-6765 | Intelbras InControl HTTP PUT Request operador permission | E | |
| CVE-2025-6766 | sfturing hosp_order OfficeServiceImpl.java getOfficeName sql injection | E | |
| CVE-2025-6767 | sfturing hosp_order DoctorServiceImpl.java findDoctorByCondition sql injection | E | |
| CVE-2025-6768 | sfturing hosp_order HospitalServiceImpl.java findAllHosByCondition sql injection | E | |
| CVE-2025-6770 | OS command injection in Ivanti Endpoint Manager | | |
| CVE-2025-6771 | OS command injection in Ivanti Endpoint Manager | | |
| CVE-2025-6772 | eosphoros-ai db-gpt import import_flow path traversal | E | |
| CVE-2025-6773 | HKUDS LightRAG File Upload document_routes.py upload_to_input_dir path traversal | S | |
| CVE-2025-6774 | gooaclok819 sublinkX template.go AddTemp path traversal | E S | |
| CVE-2025-6775 | xiaoyunjie openvpn-cms-flask User Creation Endpoint openvpn.py create_user command injection | E S | |
| CVE-2025-6776 | xiaoyunjie openvpn-cms-flask File Upload controller.py upload path traversal | E S | |
| CVE-2025-6777 | code-projects Food Distributor Site process_login.php sql injection | E | |
| CVE-2025-6778 | code-projects Food Distributor Site save_settings.php cross site scripting | E | |
| CVE-2025-6781 | Copymatic – AI Content Writer & Generator <= 2.1 - Cross-Site Request Forgery to Settings Update | | |
| CVE-2025-6782 | GoZen Forms <= 1.1.5 - Unauthenticated SQL Injection via dirGZActiveForm() | | |
| CVE-2025-6783 | GoZen Forms <= 1.1.5 - Unauthenticated SQL Injection via emdedSc() | | |
| CVE-2025-6786 | DocCheck Login <= 1.1.5 - Unauthorized Post Access | | |
| CVE-2025-6787 | Smart Docs <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting | | |
| CVE-2025-6788 | A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that exposes TGML diagram resou... | | |
| CVE-2025-6790 | QSM < 10.2.3 - Template Creation via CSRF | E | |
| CVE-2025-6791 | Second order SQL injection available to user with low privilege | | |
| CVE-2025-6793 | Marvell QConvergeConsole QLogicDownloadImpl Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability | | |
| CVE-2025-6794 | Marvell QConvergeConsole saveAsText Directory Traversal Remote Code Execution Vulnerability | | |
| CVE-2025-6795 | Marvell QConvergeConsole getFileUploadSize Directory Traversal Information Disclosure Vulnerability | | |
| CVE-2025-6796 | Marvell QConvergeConsole getAppFileBytes Directory Traversal Information Disclosure Vulnerability | | |
| CVE-2025-6797 | Marvell QConvergeConsole getFileUploadBytes Directory Traversal Information Disclosure Vulnerability | | |
| CVE-2025-6798 | Marvell QConvergeConsole deleteAppFile Directory Traversal Arbitrary File Deletion Vulnerability | | |
| CVE-2025-6799 | Marvell QConvergeConsole getFileUploadBytes Directory Traversal Information Disclosure Vulnerability | | |
| CVE-2025-6800 | Marvell QConvergeConsole restoreESwitchConfig Directory Traversal Information Disclosure Vulnerability | | |
| CVE-2025-6801 | Marvell QConvergeConsole saveNICParamsToFile Directory Traversal Arbitrary File Write Vulnerability | | |
| CVE-2025-6802 | Marvell QConvergeConsole getFileFromURL Unrestricted File Upload Remote Code Execution Vulnerability | | |
| CVE-2025-6803 | Marvell QConvergeConsole compressDriverFiles Directory Traversal Information Disclosure Vulnerability | | |
| CVE-2025-6804 | Marvell QConvergeConsole compressFirmwareDumpFiles Directory Traversal Information Disclosure Vulnerability | | |
| CVE-2025-6805 | Marvell QConvergeConsole deleteEventLogFile Directory Traversal Arbitrary File Deletion Vulnerability | | |
| CVE-2025-6806 | Marvell QConvergeConsole decryptFile Directory Traversal Arbitrary File Write Vulnerability | | |
| CVE-2025-6807 | Marvell QConvergeConsole getDriverTmpPath Directory Traversal Information Disclosure Vulnerability | | |
| CVE-2025-6810 | Mescius ActiveReports.NET ReadValue Deserialization of Untrusted Data Remote Code Execution Vulnerability | | |
| CVE-2025-6811 | Mescius ActiveReports.NET TypeResolutionService Deserialization of Untrusted Data Remote Code Execution Vulnerability | | |
| CVE-2025-6813 | aapanel WP Toolkit 1.0 - 1.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via auto_login() Function | | |
| CVE-2025-6814 | Booking X 1.0 - 1.1.2 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via export_now() Function | | |
| CVE-2025-6816 | HDF5 H5Ofsinfo.c H5O__fsinfo_encode heap-based overflow | E | |
| CVE-2025-6817 | HDF5 H5Centry.c H5C__load_entry resource consumption | E | |
| CVE-2025-6818 | HDF5 H5Ochunk.c H5O__chunk_protect heap-based overflow | E | |
| CVE-2025-6819 | code-projects Inventory Management System removeBrand.php sql injection | E | |
| CVE-2025-6820 | code-projects Inventory Management System createProduct.php sql injection | E | |
| CVE-2025-6821 | code-projects Inventory Management System createOrder.php sql injection | E | |
| CVE-2025-6822 | code-projects Inventory Management System removeProduct.php sql injection | E | |
| CVE-2025-6823 | code-projects Inventory Management System editProduct.php sql injection | E | |
| CVE-2025-6824 | TOTOLINK X15 HTTP POST Request formParentControl buffer overflow | E | |
| CVE-2025-6825 | TOTOLINK A702R HTTP POST Request formWlSiteSurvey buffer overflow | E | |
| CVE-2025-6826 | code-projects Payroll Management System ajax.php sql injection | E | |
| CVE-2025-6827 | code-projects Inventory Management System editOrder.php sql injection | E | |
| CVE-2025-6828 | code-projects Inventory Management System orders.php sql injection | E | |
| CVE-2025-6829 | aaluoxiang oa_system External Address Book outAddress sql injection | E | |
| CVE-2025-6831 | User Registration <= 4.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via urcr_restrict Shortcode | | |
| CVE-2025-6832 | All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0 - Reflected Cross-Site Scripting | | |
| CVE-2025-6834 | code-projects Inventory Management System editPayment.php sql injection | E | |
| CVE-2025-6835 | code-projects Library System student-issue-book.php sql injection | E | |
| CVE-2025-6836 | code-projects Library System profile.php sql injection | E | |
| CVE-2025-6837 | code-projects Library System profile.php unrestricted upload | E M | |
| CVE-2025-6838 | Broken Link Notifier <= 1.3.0 - Authenticated (Contributor+) CSV Injection | | |
| CVE-2025-6839 | Conjure Position Department Service Quality Evaluation System head.php eval backdoor | E | |
| CVE-2025-6840 | code-projects Product Inventory System Login index.php sql injection | E | |
| CVE-2025-6841 | code-projects Product Inventory System edit_product.php sql injection | E | |
| CVE-2025-6842 | code-projects Product Inventory System edit_user.php sql injection | E | |
| CVE-2025-6843 | code-projects Simple Photo Gallery upload-photo.php unrestricted upload | E | |
| CVE-2025-6844 | code-projects Simple Forum signin.php sql injection | E | |
| CVE-2025-6845 | code-projects Simple Forum register1.php sql injection | E | |
| CVE-2025-6846 | code-projects Simple Forum forum_viewfile.php sql injection | E | |
| CVE-2025-6847 | code-projects Simple Forum forum_edit.php sql injection | E | |
| CVE-2025-6848 | code-projects Simple Forum forum1.php unrestricted upload | E | |
| CVE-2025-6849 | code-projects Simple Forum forum_edit1.php cross site scripting | E | |
| CVE-2025-6850 | code-projects Simple Forum forum1.php sql injection | E | |
| CVE-2025-6851 | Broken Link Notifier <= 1.3.0 - Unauthenticated Server-Side Request Forgery | S | |
| CVE-2025-6853 | chatchat-space Langchain-Chatchat Backend upload_temp_docs path traversal | E | |
| CVE-2025-6854 | chatchat-space Langchain-Chatchat files path traversal | E | |
| CVE-2025-6855 | chatchat-space Langchain-Chatchat file path traversal | E | |
| CVE-2025-6856 | HDF5 H5FL.c H5FL__reg_gc_list use after free | E | |
| CVE-2025-6857 | HDF5 H5Gnode.c H5G__node_cmp3 stack-based overflow | E | |
| CVE-2025-6858 | HDF5 H5Centry.c H5C__flush_single_entry null pointer dereference | E | |
| CVE-2025-6859 | SourceCodester Best Salon Management System pro_sale.php sql injection | E | |
| CVE-2025-6860 | SourceCodester Best Salon Management System staff_commision.php sql injection | E | |
| CVE-2025-6861 | SourceCodester Best Salon Management System add_plan.php sql injection | E | |
| CVE-2025-6862 | SourceCodester Best Salon Management System edit_plan.php sql injection | E | |
| CVE-2025-6863 | PHPGurukul Local Services Search Engine Management System edit-category-detail.php sql injection | E | |
| CVE-2025-6864 | SeaCMS admin_type.php cross-site request forgery | E | |
| CVE-2025-6865 | DaiCuo index cross-site request forgery | E | |
| CVE-2025-6866 | code-projects Simple Forum forum_downloadfile.php path traversal | E | |
| CVE-2025-6867 | SourceCodester Simple Company Website manage.php sql injection | E | |
| CVE-2025-6868 | SourceCodester Simple Company Website manage.php sql injection | E | |
| CVE-2025-6869 | SourceCodester Simple Company Website manage.php sql injection | E | |
| CVE-2025-6870 | SourceCodester Simple Company Website Content.php unrestricted upload | E | |
| CVE-2025-6871 | SourceCodester Simple Company Website Login.php sql injection | E | |
| CVE-2025-6872 | SourceCodester Simple Company Website SystemSettings.php unrestricted upload | E | |
| CVE-2025-6873 | SourceCodester Simple Company Website Users.php unrestricted upload | E | |
| CVE-2025-6874 | SourceCodester Best Salon Management System add_subscribe.php sql injection | E | |
| CVE-2025-6875 | SourceCodester Best Salon Management System edit-subscription.php sql injection | E | |
| CVE-2025-6876 | SourceCodester Best Salon Management System add-category.php sql injection | E | |
| CVE-2025-6877 | SourceCodester Best Salon Management System edit-category.php sql injection | E | |
| CVE-2025-6878 | SourceCodester Best Salon Management System search-appointment.php sql injection | E | |
| CVE-2025-6879 | SourceCodester Best Salon Management System add-tax.php sql injection | E | |
| CVE-2025-6880 | SourceCodester Best Salon Management System edit-tax.php sql injection | E | |
| CVE-2025-6881 | D-Link DI-8100 jhttpd pppoe_base.asp buffer overflow | E | |
| CVE-2025-6882 | D-Link DIR-513 formSetWanPPTP buffer overflow | E | |
| CVE-2025-6883 | code-projects Staff Audit System update_index.php sql injection | E | |
| CVE-2025-6884 | code-projects Staff Audit System search_index.php sql injection | E | |
| CVE-2025-6885 | PHPGurukul Teachers Record Management System edit-teacher-detail.php sql injection | E | |
| CVE-2025-6886 | Tenda AC5 openSchedWifi stack-based overflow | E | |
| CVE-2025-6887 | Tenda AC5 SetSysTimeCfg stack-based overflow | E | |
| CVE-2025-6888 | PHPGurukul Teachers Record Management System changeimage.php sql injection | E | |
| CVE-2025-6889 | code-projects Movie Ticketing System logIn.php sql injection | E | |
| CVE-2025-6890 | code-projects Movie Ticketing System ticketConfirmation.php sql injection | E | |
| CVE-2025-6891 | code-projects Inventory Management System createUser.php sql injection | E | |
| CVE-2025-6895 | MelaPress Login Security 2.1.0 - 2.1.1 - Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function | | |
| CVE-2025-6896 | D-Link DI-7300G+ wget_test.asp os command injection | E | |
| CVE-2025-6897 | D-Link DI-7300G+ httpd_debug.asp os command injection | E | |
| CVE-2025-6898 | D-Link DI-7300G+ in proxy_client.asp os command injection | E | |
| CVE-2025-6899 | D-Link DI-7300G+/DI-8200G msp_info.htm os command injection | E | |
| CVE-2025-6900 | code-projects Library System add-book.php unrestricted upload | E M | |
| CVE-2025-6901 | code-projects Inventory Management System removeUser.php sql injection | E | |
| CVE-2025-6902 | code-projects Inventory Management System editUser.php sql injection | E | |
| CVE-2025-6903 | code-projects Car Rental System approve.php sql injection | E | |
| CVE-2025-6904 | code-projects Car Rental System add_cars.php sql injection | E | |
| CVE-2025-6905 | code-projects Car Rental System signup.php sql injection | E | |
| CVE-2025-6906 | code-projects Car Rental System login.php sql injection | E | |
| CVE-2025-6907 | code-projects Car Rental System book_car.php sql injection | E | |
| CVE-2025-6908 | PHPGurukul Old Age Home Management System edit-services.php sql injection | E | |
| CVE-2025-6909 | PHPGurukul Old Age Home Management System add-scdetails.php sql injection | E | |
| CVE-2025-6910 | PHPGurukul Student Record System session.php sql injection | E | |
| CVE-2025-6911 | PHPGurukul Student Record System manage-subjects.php sql injection | E | |
| CVE-2025-6912 | PHPGurukul Student Record System manage-students.php sql injection | E | |
| CVE-2025-6913 | PHPGurukul Student Record System admin-profile.php sql injection | E | |
| CVE-2025-6914 | PHPGurukul Student Record System edit-student.php sql injection | E | |
| CVE-2025-6915 | PHPGurukul Student Record System register.php sql injection | E | |
| CVE-2025-6916 | TOTOLINK T6 formLoginAuth.htm Form_Login missing authentication | E | |
| CVE-2025-6917 | code-projects Online Hotel Booking registration.php sql injection | E | |
| CVE-2025-6918 | SQLi in Ncvav's Virtual PBX Software | | |
| CVE-2025-6920 | Ai-inference-server: authentication bypass via unprotected inference endpoint in api | M | |
| CVE-2025-6925 | Dromara RuoYi-Vue-Plus Mail MailController.java path traversal | E | |
| CVE-2025-6926 | Security Authentication Bypass in CentralAuth | | |
| CVE-2025-6929 | PHPGurukul Zoo Management System view-normal-ticket.php sql injection | E | |
| CVE-2025-6930 | PHPGurukul Zoo Management System manage-foreigners-ticket.php sql injection | E | |
| CVE-2025-6931 | D-Link DCS-6517/DCS-7517 Root Password Generation httpd generate_pass_from_mac entropy | E | |
| CVE-2025-6932 | D-Link DCS-7517 Qlync Password Generation httpd g_F_n_GenPassForQlync hard-coded password | E | |
| CVE-2025-6934 | Opal Estate Pro <= 1.7.5 - Unauthenticated Privilege Escalation via 'on_regiser_user' | | |
| CVE-2025-6935 | Campcodes Sales and Inventory System payment_add.php sql injection | E | |
| CVE-2025-6936 | code-projects Simple Pizza Ordering System addpro.php sql injection | E | |
| CVE-2025-6937 | code-projects Simple Pizza Ordering System large.php sql injection | E | |
| CVE-2025-6938 | code-projects Simple Pizza Ordering System editcus.php sql injection | E | |
| CVE-2025-6939 | TOTOLINK A3002RU HTTP POST Request formWlSiteSurvey buffer overflow | E | |
| CVE-2025-6940 | TOTOLINK A702R HTTP POST Request formParentControl buffer overflow | E | |
| CVE-2025-6942 | The distributed engine versions 8.4.39.0 and earlier of Secret Server versions 11.7.49 and earlier c... | | |
| CVE-2025-6943 | Secret Server version 11.7 and earlier is vulnerable to a SQL report creation vulnerability that all... | | |
| CVE-2025-6944 | Uncode Core <= 2.9.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes | | |
| CVE-2025-6948 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab | E S | |
| CVE-2025-6951 | SAFECAM X300 FTP Service default credentials | E | |
| CVE-2025-6952 | Open5GS AMF Service amf-sm.c amf_state_operational assertion | S | |
| CVE-2025-6953 | TOTOLINK A3002RU HTTP POST Request formParentControl buffer overflow | E | |
| CVE-2025-6954 | Campcodes Employee Management System applyleave.php sql injection | E | |
| CVE-2025-6955 | Campcodes Employee Management System aprocess.php sql injection | E | |
| CVE-2025-6956 | Campcodes Employee Management System changepassemp.php sql injection | E | |
| CVE-2025-6957 | Campcodes Employee Management System eprocess.php sql injection | E | |
| CVE-2025-6958 | Campcodes Employee Management System edit.php sql injection | E | |
| CVE-2025-6959 | Campcodes Employee Management System eloginwel.php sql injection | E | |
| CVE-2025-6960 | Campcodes Employee Management System empproject.php sql injection | E | |
| CVE-2025-6961 | Campcodes Employee Management System mark.php sql injection | E | |
| CVE-2025-6962 | Campcodes Employee Management System myprofileup.php sql injection | E | |
| CVE-2025-6963 | Campcodes Employee Management System myprofile.php sql injection | E | |
| CVE-2025-6965 | Integer Truncation on SQLite | S | |
| CVE-2025-6970 | Events Manager <= 7.0.3 - Unauthenticated SQL Injection via `orderby` Parameter | S | |
| CVE-2025-6971 | Use After Free vulnerability exists in the CATPRODUCT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025 | | |
| CVE-2025-6972 | Use After Free vulnerability exists in the CATPRODUCT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025 | | |
| CVE-2025-6973 | Use After Free vulnerability exists in the JT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025 | | |
| CVE-2025-6974 | Use of Uninitialized Variable vulnerability exists in the JT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025 | | |
| CVE-2025-6975 | Event Manager <= 7.0.3 - Reflected Cross-Site Scripting via `calendar_header` Parameter | S | |
| CVE-2025-6976 | Events Manager <= 7.0.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes | S | |
| CVE-2025-6977 | ProfileGrid – User Profiles, Groups and Communities <= 5.9.5.4 - Reflected Cross-Site Scripting via 'pm_get_messenger_notification' function | S | |
| CVE-2025-6981 | Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized read-only access | | |
| CVE-2025-6982 | Hardcoded DES Decryption Keys in TP-Link Archer C50 V3/V4/V5 | | |
| CVE-2025-6983 | Clickjacking vulnerability on the management web application of TP-LINK Archer C1200 | | |
| CVE-2025-6986 | FileBird – WordPress Media Library Folders & File Manager <= 6.4.8 - Authenticated (Author+) SQL Injection | | |
| CVE-2025-6987 | Advanced iFrame <= 2025.5 - Authenticated (Contributor+) Stored Cross-Site Scripting | | |
| CVE-2025-6989 | Kallyas <= 4.21.0 - Authenticated (Contributor+) Arbitrary Folder Deletion | | |
| CVE-2025-6991 | Kallyas <= 4.21.0 - Authenticated (Contributor+) Local File Inclusion | | |
| CVE-2025-6993 | Ultimate WP Mail 1.0.17 - 1.3.6 - Missing Authorization to Authenticated (Contributor+) Privilege Escalation via get_email_log_details Function | S | |
| CVE-2025-6994 | Reveal Listing <= 3.3 - Unauthenticated Privilege Escalation | | |
| CVE-2025-6995 | Improper Encryption in Ivanti Endpoint Manager | | |
| CVE-2025-6996 | Improper Encryption in Ivanti Endpoint Manager | | |
| CVE-2025-6997 | ThemeREX Addons <= 2.35.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trx_addons_get_svg_from_file Function | | |
| CVE-2025-6998 | Calibre Web 0.6.24 & Autocaliweb 0.7.0 - ReDoS | |