Total
91011 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-28756 | 1 Solaredge | 1 Mysolaredge | 2025-06-17 | N/A | 5.9 MEDIUM |
| The SolarEdge mySolarEdge application before 2.20.1 for Android has a certificate verification issue that allows a Machine-in-the-middle (MitM) attacker to read and alter all network traffic between the application and the server. | |||||
| CVE-2024-24028 | 1 Likeshop | 1 Likeshop | 2025-06-17 | N/A | 5.9 MEDIUM |
| Server Side Request Forgery (SSRF) vulnerability in Likeshop before 2.5.7 allows attackers to view sensitive information via the avatar parameter in function UserLogic::updateWechatInfo. | |||||
| CVE-2025-5700 | 2025-06-17 | N/A | 6.4 MEDIUM | ||
| The Simple Logo Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-5291 | 2025-06-17 | N/A | 6.4 MEDIUM | ||
| The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's masterslider_pb and ms_slide shortcodes in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-3880 | 2025-06-17 | N/A | 4.3 MEDIUM | ||
| The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to change the email address for the account connection, and disconnect the plugin. Previously created content will still be displayed and functional if the account is disconnected. | |||||
| CVE-2021-23814 | 1 Unisharp | 1 Laravel-filemanager | 2025-06-17 | 6.5 MEDIUM | 6.7 MEDIUM |
| This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: 1. Install a package with a web Laravel application. 2. Navigate to the Upload window 3. Upload an image file, then capture the request 4. Edit the request contents with a malicious file (webshell) 5. Enter the path of file uploaded on URL - Remote Code Execution **Note:** Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories). | |||||
| CVE-2025-32920 | 2025-06-17 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Stored XSS.This issue affects TI WooCommerce Wishlist: from n/a through 2.10.0. | |||||
| CVE-2024-47196 | 1 Siemens | 2 Modelsim, Questa | 2025-06-17 | N/A | 6.7 MEDIUM |
| A vulnerability has been identified in ModelSim (All versions < V2025.2), Questa (All versions < V2025.2). vsimk.exe in affected applications allows a specific tcl file to be loaded from the current working directory. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges in installations where administrators or processes with elevated privileges launch vsimk.exe from a user-writable directory. | |||||
| CVE-2025-6173 | 2025-06-17 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A vulnerability classified as critical was found in Webkul QloApps 1.6.1. Affected by this vulnerability is an unknown functionality of the file /admin/ajax_products_list.php. The manipulation of the argument packItself leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms the existence of this flaw but considers it a low-level issue due to admin privilege pre-requisites. Still, a fix is planned for a future release. | |||||
| CVE-2025-6156 | 2025-06-17 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /bwdates-report-ds.php. The manipulation of the argument testtype leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-5673 | 2025-06-17 | N/A | 6.5 MEDIUM | ||
| The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the ‘prgSortPostType’ parameter in all versions up to, and including, 8.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-4775 | 2025-06-17 | N/A | 6.4 MEDIUM | ||
| The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-button-label HTML attribute in all versions up to, and including, 7.4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-35410 | 1 Kanaka | 1 Wac | 2025-06-17 | N/A | 6.2 MEDIUM |
| wac commit 385e1 was discovered to contain a heap overflow via the interpret function at /wac-asan/wa.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted wasm file. | |||||
| CVE-2024-35418 | 1 Kanaka | 1 Wac | 2025-06-17 | N/A | 6.2 MEDIUM |
| wac commit 385e1 was discovered to contain a heap overflow via the setup_call function at /wac-asan/wa.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted wasm file. | |||||
| CVE-2024-35419 | 1 Kanaka | 1 Wac | 2025-06-17 | N/A | 5.5 MEDIUM |
| wac commit 385e1 was discovered to contain a heap overflow via the load_module function at /wac-asan/wa.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted wasm file. | |||||
| CVE-2024-35420 | 1 Kanaka | 1 Wac | 2025-06-17 | N/A | 6.2 MEDIUM |
| wac commit 385e1 was discovered to contain a heap overflow. | |||||
| CVE-2024-50848 | 1 Rws | 1 Worldserver | 2025-06-17 | N/A | 6.5 MEDIUM |
| An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via supplying a crafted .tmx file. | |||||
| CVE-2025-3901 | 1 Bootstrap Site Alert Project | 1 Bootstrap Site Alert Project | 2025-06-17 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Bootstrap Site Alert allows Cross-Site Scripting (XSS).This issue affects Bootstrap Site Alert: from 0.0.0 before 1.13.0, from 3.0.0 before 3.0.4. | |||||
| CVE-2025-3902 | 1 Four Kitchens | 1 Block Class | 2025-06-17 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Block Class allows Cross-Site Scripting (XSS).This issue affects Block Class: from 4.0.0 before 4.0.1. | |||||
| CVE-2025-6142 | 2025-06-16 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in Intera InHire up to 20250530. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument 29chcotoo9 leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||