CVE-2025-27218
CVE-2025-26856
CVE-2025-24947
CVE-2025-24946
CVE-2025-23020
CVE-2025-1492
CVE-2025-1483
CVE-2025-1328
CVE-2025-1293
CVE-2025-1223
CVE-2025-1222
CVE-2025-1064
CVE-2025-0897
CVE-2025-0866
CVE-2024-49782
CVE-2024-49780
CVE-2024-49355
CVE-2024-43196
CVE-2024-13888
CVE-2024-13855
Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.
Maximum CVSS Score : 0.0
Exploit Availability: Not available
CVE-2025-26856
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-20617.
Maximum CVSS Score : 7.2
Exploit Availability: Not available
CVE-2025-24947
A hash collision vulnerability (in the hash table used to manage connections) in LSQUIC (aka LiteSpeed QUIC) before 4.2.0 allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs). This is caused by XXH32 usage.
Maximum CVSS Score : 5.3
Exploit Availability: Not available
CVE-2025-24946
The hash table used to manage connections in picoquic before b80fd3f uses a weak hash function, allowing remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs).
Maximum CVSS Score : 5.3
Exploit Availability: Not available
CVE-2025-23020
An issue was discovered in Kwik before 0.10.1. A hash collision vulnerability (in the hash table used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs).
Maximum CVSS Score : 5.3
Exploit Availability: Not available
CVE-2025-1492
Bundle Protocol and CBOR dissector crashes in Wireshark 4.4.0 to 4.4.3 and 4.2.0 to 4.2.10 allows denial of service via packet injection or crafted capture file
Maximum CVSS Score : 7.8
Exploit Availability: Not available
CVE-2025-1483
The LTL Freight Quotes – GlobalTranz Edition plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engtz_wd_save_dropship AJAX endpoint in all versions up to, and including, 2.3.12. This makes it possible for unauthenticated attackers to update the drop shipping settings.
Maximum CVSS Score : 5.3
Exploit Availability: Not available
CVE-2025-1328
The Typed JS: A typewriter style animation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘typespeed’ parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Maximum CVSS Score : 6.4
Exploit Availability: Not available
CVE-2025-1293
Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.
Maximum CVSS Score : 8.2
Exploit Availability: Not available
CVE-2025-1223
An attacker can gain application privileges in order to perform limited modification and/or read arbitrary data in Citrix Secure Access Client for Mac
Maximum CVSS Score : 5.8
Exploit Availability: Not available
CVE-2025-1222
An attacker can gain application privileges in order to perform limited modification and/or read arbitrary data in Citrix Secure Access Client for Mac
Maximum CVSS Score : 5.8
Exploit Availability: Not available
CVE-2025-1064
The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's xoo_el_action shortcode in all versions up to, and including, 2.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Maximum CVSS Score : 6.4
Exploit Availability: Not available
CVE-2025-0897
The Modal Window – create popup modal window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 6.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Maximum CVSS Score : 6.4
Exploit Availability: Not available
CVE-2025-0866
The Legoeso PDF Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘checkedVals’ parameter in all versions up to, and including, 1.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Maximum CVSS Score : 6.5
Exploit Availability: Not available
CVE-2024-49782
IBM OpenPages with Watson 8.3 and 9.0
could allow a remote attacker to spoof mail server identity when using SSL/TLS security. An attacker could exploit this vulnerability to gain access to sensitive information disclosed through email notifications generated by OpenPages or disrupt notification delivery.
could allow a remote attacker to spoof mail server identity when using SSL/TLS security. An attacker could exploit this vulnerability to gain access to sensitive information disclosed through email notifications generated by OpenPages or disrupt notification delivery.
Maximum CVSS Score : 6.8
Exploit Availability: Not available
CVE-2024-49780
IBM OpenPages with Watson 8.3 and 9.0
IBM OpenPages could allow a remote attacker to traverse directories on the system. An attacker with privileges to perform Import Configuration could send a specially crafted http request containing "dot dot" sequences (/../) in the file name parameter used in Import Configuration to write files to arbitrary locations outside of the specified directory and possibly overwrite arbitrary files.
IBM OpenPages could allow a remote attacker to traverse directories on the system. An attacker with privileges to perform Import Configuration could send a specially crafted http request containing "dot dot" sequences (/../) in the file name parameter used in Import Configuration to write files to arbitrary locations outside of the specified directory and possibly overwrite arbitrary files.
Maximum CVSS Score : 5.3
Exploit Availability: Not available
CVE-2024-49355
IBM OpenPages with Watson 8.3 and 9.0 may write improperly neutralized data to server log files when the tracing is enabled per the System Tracing feature.
Maximum CVSS Score : 5.3
Exploit Availability: Not available
CVE-2024-43196
IBM OpenPages with Watson 8.3 and 9.0
application could allow an authenticated user to manipulate data in the Questionnaires application allowing the user to spoof other users' responses.
application could allow an authenticated user to manipulate data in the Questionnaires application allowing the user to spoof other users' responses.
Maximum CVSS Score : 4.3
Exploit Availability: Not available
CVE-2024-13888
The WPMobile.App plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 11.56. This is due to insufficient validation on the redirect URL supplied via the 'redirect' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
Maximum CVSS Score : 7.2
Exploit Availability: Not available
CVE-2024-13855
The Prime Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.1 via the pae_global_block shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract information from posts that are not public, including drafts, private, password protected, and restricted posts. This applies to posts created with Elementor only.
Maximum CVSS Score : 4.3
Exploit Availability: Not available
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
