Total CVEs

142,750

Critical Severity

4,026

High Severity

14,425

Last 7 Days

1,377
Quick preset (or use dates below)
Clear Filters
Showing 14,581 - 14,600 of 14,834 CVEs
CVE-2025-62146 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maksym Marko MX Time Zone Clocks allows Stored XSS.This issue affects MX Time Zone Clocks: from n/a through 5.1.1.

Published: Dec 31, 2025
Source: NVD
CVE-2025-62137 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shuttlethemes Shuttle allows Stored XSS.This issue affects Shuttle: from n/a through 1.5.0.

Published: Dec 31, 2025
Source: NVD
CVE-2025-62136 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThinkUpThemes Melos allows Stored XSS.This issue affects Melos: from n/a through 1.6.0.

Published: Dec 31, 2025
Source: NVD
CVE-2025-14783 MEDIUM - 4.3

The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to r...

Published: Dec 31, 2025
Source: NVD
CVE-2025-69277 MEDIUM - 4.5

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.

Published: Dec 31, 2025
Source: NVD
CVE-2025-14434 MEDIUM - 5.3

The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX โ€œload moreโ€ endpoints such as upk_alex_grid_loadmore_posts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and re...

Published: Dec 31, 2025
Source: NVD
CVE-2025-15374 MEDIUM - 5.4

A vulnerability was detected in EyouCMS up to 1.7.7. The affected element is an unknown function of the file application/home/model/Ask.php of the component Ask Module. Performing manipulation of the argument content results in cross site scripting. The attack can be initiated remotely. The exploit ...

Vendor: eyoucms
Product: eyoucms
Published: Dec 31, 2025
Source: NVD
CVE-2025-15373 MEDIUM - 4.3

A security vulnerability has been detected in EyouCMS up to 1.7.7. Impacted is the function saveRemote of the file application/function.php. Such manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. ...

Vendor: eyoucms
Product: eyoucms
Published: Dec 31, 2025
Source: NVD
CVE-2025-15372 MEDIUM - 4.8

A weakness has been identified in youlaitech vue3-element-admin up to 3.4.0. This issue affects some unknown processing of the file src/views/system/notice/index.vue of the component Notice Handler. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The ex...

Vendor: youlai
Product: vue3-element-admin
Published: Dec 31, 2025
Source: NVD
CVE-2025-15223 MEDIUM - 4.3

A vulnerability was found in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. Impacted is an unknown function of the file /login.php. Performing manipulation of the argument Username results in cross site scripting. The attack is possible to be carried out remotely. The exp...

Published: Dec 31, 2025
Source: NVD
CVE-2025-15112 MEDIUM - 5.4

Ksenia Security Lares 4.0 version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking...

Vendor: kseniasecurity
Product: lares_firmware
Published: Dec 30, 2025
Source: NVD
CVE-2024-58337 MEDIUM - 4.3

Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionali...

Vendor: akuvox
Product: s539_firmware
Published: Dec 30, 2025
Source: NVD
CVE-2024-58336 MEDIUM - 5.3

Akuvox Smart Intercom S539 contains an unauthenticated vulnerability that allows remote attackers to access live video streams by requesting the video.cgi endpoint on port 8080. Attackers can retrieve video stream data without authentication by directly accessing the specified endpoint on affected A...

Vendor: akuvox
Product: s539_firmware
Published: Dec 30, 2025
Source: NVD
CVE-2022-50802 MEDIUM - 6.1

ETAP Safety Manager 1.0.0.32 contains a cross-site scripting vulnerability in the 'action' GET parameter that allows unauthenticated attackers to inject malicious HTML and JavaScript. Attackers can craft specially formed requests to execute arbitrary scripts in victim browser sessions, pot...

Vendor: etaplighting
Product: etap_safety_manager
Published: Dec 30, 2025
Source: NVD
CVE-2022-50801 MEDIUM - 4.3

JM-DATA ONU JF511-TV version 1.0.67 is vulnerable to authenticated stored cross-site scripting (XSS) attacks, allowing attackers with authenticated access to inject malicious scripts that will be executed in other users' browsers when they view the affected content.

Published: Dec 30, 2025
Source: NVD
CVE-2025-69257 MEDIUM - 6.7

theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations (e.g., `~/.config/theshit/`) without validating ownership or permissions wh...

Published: Dec 30, 2025
Source: NVD
CVE-2025-66823 MEDIUM - 5.4

An HTML Injection vulnerability in TrueConf server 5.5.2.10813 in the conference description field allows an attacker to inject arbitrary HTML in the Create/Edit conference functionality. The payload will be triggered when the victim opens the Conference Info page ([conference url]/info).

Vendor: trueconf
Product: server
Published: Dec 30, 2025
Source: NVD
CVE-2025-15258 MEDIUM - 6.1

A weakness has been identified in Edimax BR-6208AC 1.02/1.03. Affected by this issue is the function formALGSetup of the file /goform/formALGSetup of the component Web-based Configuration Interface. This manipulation of the argument wlan-url causes open redirect. The attack is possible to be carried...

Vendor: edimax
Product: br-6208ac_firmware
Published: Dec 30, 2025
Source: NVD
CVE-2025-68950 MEDIUM - 6.2

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, Magick fails to check for circular references between two MVGs, leading to a stack overflow. This is a DoS vulnerability, and any situation that allows reading the mvg file will ...

Vendor: imagemagick
Product: imagemagick
Published: Dec 30, 2025
Source: NVD
CVE-2025-66103 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Revmakx WPCal.Io allows DOM-Based XSS.This issue affects WPCal.Io: from n/a through 0.9.5.9.

Published: Dec 30, 2025
Source: NVD