Total
89079 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-20955 | 2025-05-07 | N/A | 5.5 MEDIUM | ||
| Improper Export of Android Application Components in NotificationHistoryImageProvider prior to SMR May-2025 Release 1 allows local attackers to access notification images. | |||||
| CVE-2025-20960 | 2025-05-07 | N/A | 4.0 MEDIUM | ||
| Improper handling of insufficient permission in CocktailBarService prior to SMR May-2025 Release 1 allows local attackers to use the privileged api. | |||||
| CVE-2025-3924 | 2025-05-07 | N/A | 5.3 MEDIUM | ||
| The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized access of data via its publicly exposed reset-password endpoint. The plugin looks up the 'valid_email' value based solely on a supplied username parameter, without verifying that the requester is associated with that user account. This allows unauthenticated attackers to enumerate email addresses for any user, including administrators. | |||||
| CVE-2025-4353 | 2025-05-07 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability, which was classified as critical, was found in Golden Link Secondary System up to 20250424. Affected is an unknown function of the file /paraframework/queryTsDictionaryType.htm. The manipulation of the argument dictCn1 leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3766 | 2025-05-07 | N/A | 5.4 MEDIUM | ||
| The Login Lockdown & Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a valid nonce that can be used to generate a global unlock key, which can in turn be used to add arbitrary IP address to the plugin allowlist. This can only by exploited on new installations where the site administrator hasn't visited the loginlockdown page yet. | |||||
| CVE-2025-4374 | 2025-05-07 | N/A | 6.5 MEDIUM | ||
| A flaw was found in Quay. When an organization acts as a proxy cache, and a user or robot pulls an image that hasn't been mirrored yet, they are granted "Admin" permissions on the newly created repository. | |||||
| CVE-2025-20963 | 2025-05-07 | N/A | 6.6 MEDIUM | ||
| Out-of-bounds write in memory initialization in libsavsvc.so prior to SMR May-2025 Release 1 allows local attackers to write out-of-bounds memory. | |||||
| CVE-2025-3851 | 2025-05-07 | N/A | 4.3 MEDIUM | ||
| The Download Manager and Payment Form WordPress Plugin – WP SmartPay plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 1.1.0 to 2.7.13 via the show() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's data like email address, name, and notes. | |||||
| CVE-2025-3020 | 2025-05-07 | N/A | 5.4 MEDIUM | ||
| An low privileged remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into several fields of the configuration webpage with limited impact. | |||||
| CVE-2025-20978 | 2025-05-07 | N/A | 6.2 MEDIUM | ||
| Improper access control in PENUP prior to version 3.9.19.32 allows local attackers to access files with PENUP privilege. | |||||
| CVE-2025-20958 | 2025-05-07 | N/A | 4.4 MEDIUM | ||
| Improper verification of intent by broadcast receiver in UnifiedWFC prior to SMR May-2025 Release 1 allows local attackers to manipulate VoWiFi related behaviors. | |||||
| CVE-2025-20970 | 2025-05-07 | N/A | 6.2 MEDIUM | ||
| Improper access control in Bixby Vision prior to version 3.8.1 in Android 13, 3.8.3 in Android 14, 3.8.21 in Android 15 allows local attackers to access image files with Bixby Vision privilege. | |||||
| CVE-2025-20975 | 2025-05-07 | N/A | 5.5 MEDIUM | ||
| Improper Export of Android Application Components in AODService prior to version 8.8.28.12 allows local attackers to launch arbitrary activity with systemui privilege. | |||||
| CVE-2025-4352 | 2025-05-07 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability, which was classified as critical, has been found in Golden Link Secondary System up to 20250424. This issue affects some unknown processing of the file /reprotframework/tcEntrFlowSelect.htm. The manipulation of the argument custTradeId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-20964 | 2025-05-07 | N/A | 6.6 MEDIUM | ||
| Out-of-bounds write in parsing media files in libsavsvc.so prior to SMR May-2025 Release 1 allows local attackers to write out-of-bounds memory. | |||||
| CVE-2025-4055 | 2025-05-07 | N/A | 6.4 MEDIUM | ||
| The Multiple Post Type Order plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mpto' shortcode in all versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-4311 | 1 Zenml | 1 Zenml | 2025-05-07 | N/A | 5.4 MEDIUM |
| zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the absence of rate-limiting on the '/api/v1/current-user' endpoint, which does not restrict the number of attempts an attacker can make to guess the current password. Successful exploitation results in the attacker being able to change the password and take control of the account. | |||||
| CVE-2021-24502 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | 3.5 LOW | 4.8 MEDIUM |
| The WP Google Map WordPress plugin before 1.7.7 did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfiltered_html capability is disallowed | |||||
| CVE-2016-10878 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The wp-google-map-plugin plugin before 3.1.2 for WordPress has XSS. | |||||
| CVE-2023-23878 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | N/A | 5.9 MEDIUM |
| Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in flippercode WordPress Plugin for Google Maps – WP MAPS plugin <= 4.3.9 versions. | |||||