2025-03-18
2025-03-18 14:15Z
CRIT

CVE-2024-8997 — Vestel Evc04_configuration_interface: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-8997

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Vestel EVC04 Configuration Interface allows SQL Injection. This issue affects EVC04 Configuration Interface: before V3.187, V4.53. CVSSv3.1 9.8 (CRITICAL) · EPSS 33th percentile

CWECWE 89VNDVestelTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-03-15
2025-03-15 22:15Z
HIGH

CVE-2025-27281 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-27281

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cookforweb All In Menu all-in-menu allows Blind SQL Injection.This issue affects All In Menu: from n/a through <= 1.1.5. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-03-15
2025-03-15 22:15Z
HIGH

CVE-2025-26978 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26978

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in fs-code FS Poster fs-poster.This issue affects FS Poster: from n/a through <= 6.5.8. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-03-15
2025-03-15 22:15Z
HIGH

CVE-2025-26976 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26976

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent private-content.This issue affects PrivateContent: from n/a through <= 8.11.4. CVSSv3.1 8.5 (HIGH) · EPSS 19th percentile

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-03-15
2025-03-15 22:15Z
HIGH

CVE-2025-26969 — Authorization: Missing Authorization vulnerability in Aldo Latino PrivateContent private-content.This issue affects PrivateContent: from n/a through

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26969

Missing Authorization vulnerability in Aldo Latino PrivateContent private-content.This issue affects PrivateContent: from n/a through <= 8.11.5. CVSSv3.1 8.3 (HIGH)

CWECWE 862TYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2025-03-15
2025-03-15 22:15Z
HIGH

CVE-2025-26961 — Authorization: Missing Authorization vulnerability in FRESHFACE Fresh Framework fresh-framework allows Accessing Functionality Not Properly Constrained

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26961

Missing Authorization vulnerability in FRESHFACE Fresh Framework fresh-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Fresh Framework: from n/a through <= 1.70.0. CVSSv3.1 8.6 (HIGH)

CWECWE 862TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2025-03-15
2025-03-15 22:15Z
HIGH

CVE-2025-26921 — Deserialization: of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26921

Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.2.6. CVSSv3.1 8.8 (HIGH)

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-03-15
2025-03-15 22:15Z
CRIT

CVE-2025-26875 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26875

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce allows SQL Injection.This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through <= 1.3. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-03-15
2025-03-15 04:15Z
HIGH

CVE-2025-1667 — Igexsolutions Wpschoolpress: The School Management System – WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-1667

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to update arbitrary user details including email which makes it possible to request a password reset and access arbitrary user accounts, including administrators. CVSSv3.1 8.8 (HIGH)

CWECWE 862CWECWE 639VNDIgexsolutionsVNDSchoolTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-03-15
2025-03-15 03:15Z
HIGH

CVE-2025-1657 — Stylemixthemes Ulisting: The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-1657

The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized. A capability check was added in 2.1.8, but the unse CVSSv3.1 8.8 (HIGH)

CWECWE 862VNDStylemixthemesTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-03-15
2025-03-15 03:15Z
HIGH

CVE-2025-1653 — Stylemixthemes Ulisting: The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Privilege

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-1653

The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.0. This is due to the stm_listing_profile_edit AJAX action not having enough restriction on the user meta that can be updated. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. CVSSv3.1 8.8 (HIGH)

CWECWE 266VNDStylemixthemesTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-03-14
2025-03-14 12:15Z
CRIT

CVE-2024-13771 — Uxper Civi: The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-13771

The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim. CVSSv3.1 9.8 (CRITICAL)

CWECWE 288CWECWE 306VNDUxperVNDCiviTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-03-12
2025-03-12 08:15Z
HIGH

CVE-2024-58087 — Linux Linux_kernel: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix racy issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-58087

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix racy issue from session lookup and expire Increment the session reference count within the lock for lookup to avoid racy issue with session expire. CVSSv3.1 8.1 (HIGH)

CWECWE 667TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-03-11
2025-03-11 21:15Z
CRIT

CVE-2025-28915 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Theme Egg ThemeEgg ToolKit themeegg-toolkit

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-28915

Unrestricted Upload of File with Dangerous Type vulnerability in Theme Egg ThemeEgg ToolKit themeegg-toolkit allows Upload a Web Shell to a Web Server.This issue affects ThemeEgg ToolKit: from n/a through <= 1.2.9. CVSSv3.1 9.1 (CRITICAL)

CWECWE 434TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-03-11
2025-03-11 10:15Z
HIGH

CVE-2024-56182 — The affected devices have insufficient protection mechanism for the EFI(Extensible Firmware Interface) variables stored

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-56182

A vulnerability has been identified in SIMATIC Field PG M5 (All versions), SIMATIC Field PG M6 (All versions < V26.01.12), SIMATIC IPC BX-21A (All versions < V31.01.07), SIMATIC IPC BX-32A (All versions < V29.01.07), SIMATIC IPC BX-39A (All versions < V29.01.07), SIMATIC IPC BX-59A (All versions < V32.01.04), SIMATIC IPC PX-32A (All versions < V29.01.07), SIMATIC IPC PX-39A (All versions < V29.01.07), SIMATIC IPC PX-39A PRO (All versions < V29.01.07), SIMATIC IPC RC-543A (All CVSSv3.1 8.2 (HIGH)

CWECWE 693TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2025-03-11
2025-03-11 10:15Z
HIGH

CVE-2024-56181 — The affected devices have insufficient protection mechanism for the EFI(Extensible Firmware Interface) variables stored

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-56181

A vulnerability has been identified in SIMATIC Field PG M5 (All versions), SIMATIC IPC BX-21A (All versions < V31.01.07), SIMATIC IPC BX-32A (All versions < V29.01.07), SIMATIC IPC BX-39A (All versions < V29.01.07), SIMATIC IPC BX-59A (All versions < V32.01.04), SIMATIC IPC PX-32A (All versions < V29.01.07), SIMATIC IPC PX-39A (All versions < V29.01.07), SIMATIC IPC PX-39A PRO (All versions < V29.01.07), SIMATIC IPC RC-543A (All versions), SIMATIC IPC RC-543B (All versions < CVSSv3.1 8.2 (HIGH)

CWECWE 693TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2025-03-10
2025-03-10 15:15Z
CRIT

CVE-2025-26936 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in FRESHFACE Fresh Framework fresh-framework

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26936

Improper Control of Generation of Code ('Code Injection') vulnerability in FRESHFACE Fresh Framework fresh-framework allows Code Injection.This issue affects Fresh Framework: from n/a through <= 1.70.0. CVSSv3.1 10.0 (CRITICAL)

CWECWE 94TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-03-10
2025-03-10 15:15Z
CRIT

CVE-2025-26916 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26916

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Pixflow Massive Dynamic massive-dynamic.This issue affects Massive Dynamic: from n/a through <= 8.2. CVSSv3.1 9.0 (CRITICAL)

CWECWE 98TYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2025-03-06
2025-03-06 14:15Z
CRIT

CVE-2024-12144 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-12144

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Finder Fire Safety Finder ERP/CRM (Old System) allows SQL Injection. This issue affects Finder ERP/CRM (Old System): before 18.12.2024. CVSSv3.1 9.8 (CRITICAL) · EPSS 21th percentile

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-03-05
2025-03-05 14:15Z
CRIT

CVE-2024-13147 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-13147

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Merkur Software B2B Login Panel allows SQL Injection. This issue affects B2B Login Panel: before 15.01.2025. CVSSv3.1 9.8 (CRITICAL) · EPSS 30th percentile

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-03-05
2025-03-05 14:15Z
CRIT

CVE-2024-12097 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-12097

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Boceksoft Informatics E-Travel allows SQL Injection. This issue affects E-Travel: before 15.12.2024. CVSSv3.1 9.8 (CRITICAL) · EPSS 30th percentile

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-03-05
2025-03-05 12:15Z
CRIT

CVE-2024-12281 — Homey: The Homey theme for WordPress is vulnerable to privilege escalation in all versions up

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-12281

The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the Administrator, Editor, or Shop Manager role. CVSSv3.1 9.8 (CRITICAL)

CWECWE 269VNDHomeyTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-03-05
2025-03-05 10:15Z
HIGH

CVE-2025-0956 — WooCommerce: The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-0956

The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.4.0 via deserialization of untrusted input from the 'raccookie_guest_email' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the sit CVSSv3.1 8.1 (HIGH)

CWECWE 502VNDWoocommerceTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-03-04
2025-03-04 16:15Z
HIGH

CVE-2025-23368 — Redhat Wildfly_core: The component does not implement sufficient measures to prevent multiple failed authentication attempts within

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-23368

A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI. CVSSv3.1 8.1 (HIGH) · EPSS 40th percentile

CWECWE 307VNDWildflyTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-03-04
2025-03-04 15:15Z
HIGH

CVE-2024-9149 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-9149

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wind Media E-Commerce Website Template allows SQL Injection. This issue affects E-Commerce Website Template: before v1.5. CVSSv3.1 8.6 (HIGH) · EPSS 22th percentile

CWECWE 89TYPVulnerability
8.6
CVSS v3.1
93
Edit Score