Total
4933 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5304 | 2025-06-30 | N/A | 9.8 CRITICAL | ||
| The PT Project Notebooks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the wpnb_pto_new_users_add() function in versions 1.0.0 through 1.1.3. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator. | |||||
| CVE-2021-28141 | 1 Progress | 1 Telerik Ui For Asp.net Ajax | 2025-06-30 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attacker to gain unauthorized access to the server and execute code. To exploit, one must use the parameter _TSM_HiddenField_ and inject a command at the end of the URI. NOTE: the vendor states that this is not a vulnerability. The request's output does not indicate that a "true" command was executed on the server, and the request's output does not leak any private source code or data from the server. | |||||
| CVE-2023-40670 | 1 Wpdeveloper | 1 Reviewx | 2025-06-27 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in ReviewX Team ReviewX allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ReviewX: from n/a through 1.6.17. | |||||
| CVE-2024-3609 | 1 Wpdeveloper | 1 Reviewx | 2025-06-27 | N/A | 4.3 MEDIUM |
| The ReviewX – Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the reviewx_remove_guest_image function in all versions up to, and including, 1.6.27. This makes it possible for authenticated attackers, with subscriber access and above, to delete attachments. | |||||
| CVE-2025-6664 | 1 Codeastro | 1 Patient Record Management System | 2025-06-27 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in CodeAstro Patient Record Management System 1.0. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-32254 | 1 Iqonic | 1 Wpbookit | 2025-06-27 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in Iqonic Design WPBookit allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WPBookit: from n/a through 1.0.1. | |||||
| CVE-2025-6476 | 1 Oretnom23 | 1 Gym Management System | 2025-06-27 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in SourceCodester Gym Management System 1.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-6478 | 1 Codeastro | 1 Expense Management System | 2025-06-27 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in CodeAstro Expense Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely. | |||||
| CVE-2024-50628 | 1 Digi | 7 Connectport Lts 16, Connectport Lts 16 Mei, Connectport Lts 16 Mei 2ac and 4 more | 2025-06-27 | N/A | 8.8 HIGH |
| An issue was discovered in the web services of Digi ConnectPort LTS before 1.4.12. It allows an attacker on the local area network to achieve unauthorized manipulation of resources, which may lead to remote code execution when combined with other issues. | |||||
| CVE-2024-23944 | 1 Apache | 1 Zookeeper | 2025-06-27 | N/A | 5.3 MEDIUM |
| Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue. | |||||
| CVE-2025-27583 | 1 Serosoft | 1 Academia Student Information System | 2025-06-27 | N/A | 9.1 CRITICAL |
| Incorrect access control in the component /rest/staffResource/findAllUsersAcrossOrg of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify user accounts, including an Administrator account. | |||||
| CVE-2025-25953 | 1 Serosoft | 1 Academia Student Information System | 2025-06-27 | N/A | 6.5 MEDIUM |
| Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 was discovered to contain an Azure JWT access token exposure. This vulnerability allows authenticated attackers to escalate privileges and access sensitive information. | |||||
| CVE-2025-6284 | 1 Phpgurukul | 1 Car Rental Portal | 2025-06-26 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in PHPGurukul Car Rental Portal 3.0. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-5846 | 2025-06-26 | N/A | 2.7 LOW | ||
| An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks. | |||||
| CVE-2025-5813 | 2025-06-26 | N/A | 5.3 MEDIUM | ||
| The Amazon Products to WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcta2w_get_amazon_product_callback() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to create new produces. | |||||
| CVE-2025-3863 | 2025-06-26 | N/A | 4.3 MEDIUM | ||
| The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin’s support‐form handler to send arbitrary emails to the site’s support address. | |||||
| CVE-2025-5315 | 2025-06-26 | N/A | 4.3 MEDIUM | ||
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions. | |||||
| CVE-2025-5812 | 2025-06-26 | N/A | 4.3 MEDIUM | ||
| The VG WORT METIS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gutenberg_save_post() function in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update limited post settings. | |||||
| CVE-2025-6341 | 1 Fabian | 1 School Fees Payment System | 2025-06-26 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic was found in code-projects School Fees Payment System 1.0. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-52878 | 1 Jetbrains | 1 Teamcity | 2025-06-25 | N/A | 4.3 MEDIUM |
| In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions | |||||