2025-03-04
2025-03-04 14:15Z
HIGH

CVE-2025-1943 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-1943

Memory safety bugs present in Firefox 135 and Thunderbird 135. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 136 and Thunderbird 136. CVSSv3.1 8.2 (HIGH)

CWECWE 122VNDMozillaTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2025-03-04
2025-03-04 14:15Z
CRIT

CVE-2025-1942 — Mozilla Firefox: When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-1942

When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string. This vulnerability was fixed in Firefox 136 and Thunderbird 136. CVSSv3.1 9.8 (CRITICAL)

CWECWE 908VNDMozillaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-03-04
2025-03-04 14:15Z
CRIT

CVE-2025-1941 — Mozilla Firefox: Under certain circumstances, a user opt-in setting that Focus should require authentication before use

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-1941

Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136. CVSSv3.1 9.1 (CRITICAL)

CWECWE 284VNDMozillaTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-03-04
2025-03-04 14:15Z
HIGH

CVE-2025-1932 — Mozilla Firefox: An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-1932

An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Only affected version 122 and later. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. CVSSv3.1 8.1 (HIGH)

CWECWE 125VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-03-04
2025-03-04 14:15Z
HIGH

CVE-2025-1930 — Mozilla Firefox: On Windows, a compromised content process could use bad StreamData sent over AudioIPC to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-1930

On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. This vulnerability was fixed in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. CVSSv3.1 8.8 (HIGH)

CWECWE 416VNDMozillaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-03-03
2025-03-03 15:15Z
CRIT

CVE-2024-8262 — Prolizyazilim Student_affairs_information_system: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Proliz

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-8262

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Proliz Software OBS allows Path Traversal. This issue affects OBS: before 24.0927. CVSSv3.1 9.8 (CRITICAL) · EPSS 64th percentile

CWECWE 22VNDProlizyazilimTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-03-03
2025-03-03 14:15Z
CRIT

CVE-2025-27270 — Authorization: Missing Authorization vulnerability in enituretechnology Residential Address Detection residential-address-detection allows Privilege Escalation.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-27270

Missing Authorization vulnerability in enituretechnology Residential Address Detection residential-address-detection allows Privilege Escalation.This issue affects Residential Address Detection: from n/a through <= 2.5.4. CVSSv3.1 9.8 (CRITICAL)

CWECWE 862TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-03-03
2025-03-03 14:15Z
CRIT

CVE-2025-27268 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-27268

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition small-package-quotes-wwe-edition allows SQL Injection.This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through <= 5.2.18. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-03-03
2025-03-03 14:15Z
HIGH

CVE-2025-27263 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-27263

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Creativeitem Doctor Appointment Booking doctor-appointment-booking allows SQL Injection.This issue affects Doctor Appointment Booking: from n/a through <= 1.0.0. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-03-03
2025-03-03 14:15Z
HIGH

CVE-2025-26999 — Deserialization: of Untrusted Data vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26999

Deserialization of Untrusted Data vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Object Injection.This issue affects ProfileGrid : from n/a through <= 5.9.4.3. CVSSv3.1 8.8 (HIGH)

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-03-03
2025-03-03 14:15Z
CRIT

CVE-2025-26988 — Cozyvision Sms_alert_order_notifications: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26988

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a through <= 3.7.8. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89VNDCozyvisionTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-03-03
2025-03-03 14:15Z
CRIT

CVE-2025-26970 — Arktheme The_ark: Improper Control of Generation of Code ('Code Injection') vulnerability in FRESHFACE Ark Theme Core

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26970

Improper Control of Generation of Code ('Code Injection') vulnerability in FRESHFACE Ark Theme Core ark-core allows Code Injection.This issue affects Ark Theme Core: from n/a through < 1.71.0. CVSSv3.1 10.0 (CRITICAL)

CWECWE 94VNDArkthemeTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-03-03
2025-03-03 14:15Z
HIGH

CVE-2025-26967 — Wpgeodirectory Events_calendar*: Deserialization of Untrusted Data vulnerability in Stiofan Events Calendar for GeoDirectory events-for-geodirectory allows Object

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26967

Deserialization of Untrusted Data vulnerability in Stiofan Events Calendar for GeoDirectory events-for-geodirectory allows Object Injection.This issue affects Events Calendar for GeoDirectory: from n/a through <= 2.3.14. CVSSv3.1 8.8 (HIGH)

CWECWE 502VNDWpgeodirectoryTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-03-03
2025-03-03 14:15Z
CRIT

CVE-2025-26535 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26535

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodeSolz Bitcoin / AltCoin Payment Gateway for WooCommerce woo-altcoin-payment-gateway allows Blind SQL Injection.This issue affects Bitcoin / AltCoin Payment Gateway for WooCommerce: from n/a through <= 1.7.6. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-03-03
2025-03-03 14:15Z
HIGH

CVE-2025-26534 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in helloprint

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26534

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in helloprint Helloprint helloprint allows Path Traversal.This issue affects Helloprint: from n/a through <= 2.0.7. CVSSv3.1 8.6 (HIGH)

CWECWE 22TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2025-03-03
2025-03-03 14:15Z
CRIT

CVE-2025-25150 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-25150

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix uListing ulisting allows Blind SQL Injection.This issue affects uListing: from n/a through <= 2.1.6. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-03-03
2025-03-03 14:15Z
HIGH

CVE-2025-25122 — Path: Traversal: '.../...//' vulnerability in hashshop WizShop wizshop allows Path Traversal.This issue affects WizShop

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-25122

Path Traversal: '.../...//' vulnerability in hashshop WizShop wizshop allows Path Traversal.This issue affects WizShop: from n/a through <= 3.0.2. CVSSv3.1 8.1 (HIGH)

CWECWE 35TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-03-03
2025-03-03 14:15Z
HIGH

CVE-2025-25109 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-25109

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky WP Vehicle Manager js-vehicle-manager allows PHP Local File Inclusion.This issue affects WP Vehicle Manager: from n/a through <= 3.1. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-02-28
2025-02-28 22:15Z
MED

CVE-2025-26466 — Openbsd Openssh: Consequently, the server may become unavailable, resulting in a denial of service attack.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26466

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack. CVSSv3.1 5.9 (MEDIUM) · EPSS 98th percentile

CWECWE 770TYPVulnerability
5.9
CVSS v3.1
91
Edit Score
2025-02-28
2025-02-28 22:15Z
CRIT

CVE-2024-1509 — Broadcom Brocade_active_support_connectivity_gateway: The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1509

Brocade ASCG before 3.2.0 Web Interface is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. CVSSv3.1 9.1 (CRITICAL)

CWECWE 523VNDBroadcomVNDBrocadeTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-02-28
2025-02-28 09:15Z
CRIT

CVE-2024-8425 — Wpswings Woocommerce_ultimate_gift_card: The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-8425

The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.9.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that this may have been patched on an older v CVSSv3.1 9.8 (CRITICAL)

CWECWE 434VNDWpswingsVNDWoocommerceTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-02-28
2025-02-28 00:15Z
HIGH

CVE-2024-12811 — Traveler: The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-12811

The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.9 via shortcodes. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and CVSSv3.1 8.8 (HIGH)

CWECWE 98VNDTravelerTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-02-27
2025-02-27 21:15Z
CRIT

CVE-2024-55160 — G-fast Gfast: between v2 to v3.2 was discovered to contain a SQL injection vulnerability via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-55160

GFast between v2 to v3.2 was discovered to contain a SQL injection vulnerability via the OrderBy parameter at /system/operLog/list. CVSSv3.1 9.8 (CRITICAL) · EPSS 39th percentile

CWECWE 89VNDG FastVNDGfastTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-02-27
2025-02-27 21:15Z
CRIT

CVE-2024-51139 — Draytek Vigor2620_firmware: Buffer Overflow vulnerability in Vigor2620/LTE200 3.9.8.9 and earlier and Vigor2860/2925 3.9.8 and earlier and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-51139

Buffer Overflow vulnerability in Vigor2620/LTE200 3.9.8.9 and earlier and Vigor2860/2925 3.9.8 and earlier and Vigor2862/2926 3.9.9.5 and earlier and Vigor2133/2762/2832 3.9.9 and earlier and Vigor165/166 4.2.7 and earlier and Vigor2135/2765/2766 4.4.5.1 and earlier and Vigor2865/2866/2927 4.4.5.3 and earlier and Vigor2962/3910 4.3.2.8/4.4.3.1 and earlier and Vigor3912 4.3.6.1 and earlier allows a remote attacker to execute arbitrary code via the CGI parser's handling of the CVSSv3.1 9.8 (CRITICAL) · EPSS 61th percentile

CWECWE 120VNDBufferVNDDraytekTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-02-27
2025-02-27 21:15Z
CRIT

CVE-2024-51138 — Draytek Vigor3912_firmware: and earlier; Vigor2865/2866/2927 4.4.5.3 and earlier; Vigor2962 4.3.2.8 and earlier; Vigor3912 4.3.6.1 and earlier

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-51138

Vigor165/166 4.2.7 and earlier; Vigor2620/LTE200 3.9.8.9 and earlier; Vigor2860/2925 3.9.8 and earlier; Vigor2862/2926 3.9.9.5 and earlier; Vigor2133/2762/2832 3.9.9 and earlier; Vigor2135/2765/2766 4.4.5. and earlier; Vigor2865/2866/2927 4.4.5.3 and earlier; Vigor2962 4.3.2.8 and earlier; Vigor3912 4.3.6.1 and earlier; Vigor3910 4.4.3.1 and earlier a stack-based buffer overflow vulnerability has been identified in the URL parsing functionality of the TR069 STUN server. This CVSSv3.1 9.8 (CRITICAL) · EPSS 63th percentile

CWECWE 121VNDDraytekTYPVulnerability
9.8
CVSS v3.1
99
Edit Score