CVE ID : CVE-2025-45755

Published : May 21, 2025, 8:15 p.m. | 26 minutes ago

Description : A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution.

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46412

Published : May 21, 2025, 8:15 p.m. | 26 minutes ago

Description : Affected Vertiv products do not properly protect webserver functions that could allow an attacker to bypass authentication.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5051

Published : May 21, 2025, 8:15 p.m. | 26 minutes ago

Description : A vulnerability classified as critical has been found in FreeFloat FTP Server 1.0. Affected is an unknown function of the component BINARY Command Handler. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Severity: 7.3 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

ASCII Draw is an app to draw diagrams or anything using only ASCII. The post ASCII Draw lets you sketch…

Shopify’s latest Edition unveils Horizon—a modular, AI-powered theme foundation that puts design freedom and storytelling in the hands of every…

CVE ID : CVE-2025-48205

Published : May 21, 2025, 4:15 p.m. | 28 minutes ago

Description : The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference.

Severity: 8.6 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-48201

Published : May 21, 2025, 4:15 p.m. | 28 minutes ago

Description : The ns_backup extension through 13.0.0 for TYPO3 has a Predictable Resource Location.

Severity: 8.6 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-48200

Published : May 21, 2025, 4:15 p.m. | 28 minutes ago

Description : The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution.

Severity: 10.0 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-48207

Published : May 21, 2025, 4:15 p.m. | 28 minutes ago

Description : The reint_downloadmanager extension through 5.0.0 for TYPO3 allows Insecure Direct Object Reference.

Severity: 8.6 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4524

Published : May 21, 2025, 7:16 a.m. | 7 hours, 26 minutes ago

Description : The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the ‘template’ parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-41232

Published : May 21, 2025, 12:16 p.m. | 2 hours, 26 minutes ago

Description : Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass.

Your application may be affected by this if the following are true:

* You are using @EnableMethodSecurity(mode=ASPECTJ) and spring-security-aspects, and
* You have Spring Security method annotations on a private method
In that case, the target method may be able to be invoked without proper authorization.

You are not affected if:

* You are not using @EnableMethodSecurity(mode=ASPECTJ) or spring-security-aspects, or
* You have no Spring Security-annotated private methods

Severity: 9.1 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3750

Published : May 21, 2025, 12:16 p.m. | 2 hours, 34 minutes ago

Description : The Network Posts Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘post_height’ parameter in all versions up to, and including, 7.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3781

Published : May 21, 2025, 12:16 p.m. | 2 hours, 34 minutes ago

Description : The Raisely Donation Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s raisely_donation_form shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-48413

Published : May 21, 2025, 12:16 p.m. | 2 hours, 34 minutes ago

Description : The `/etc/passwd` and `/etc/shadow` files reveal hard-coded password hashes for the operating system “root” user. The credentials are shipped with the update files. There is no option for deleting or changing their passwords for an enduser. An attacker can use the credentials to log into the device. Authentication can be performed via SSH backdoor or likely via physical access (UART shell).

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-48414

Published : May 21, 2025, 12:16 p.m. | 2 hours, 34 minutes ago

Description : There are several scripts in the web interface that are accessible via undocumented hard-coded credentials. The scripts provide access to additional administrative/debug functionality and are likely intended for debugging during development and provides an additional attack surface.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4105

Published : May 21, 2025, 12:16 p.m. | 2 hours, 34 minutes ago

Description : The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the ‘splitIt-flexfields-payment-gateway.php’ file in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin settings, including changing the environment from sandbox to production and vice versa.

Severity: 5.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4217

Published : May 21, 2025, 12:16 p.m. | 2 hours, 34 minutes ago

Description : The WP YouTube Video Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘ib_youtube’ shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4219

Published : May 21, 2025, 12:16 p.m. | 2 hours, 34 minutes ago

Description : The DPEPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘dpe’ shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4221

Published : May 21, 2025, 12:16 p.m. | 2 hours, 34 minutes ago

Description : The Animated Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘auto-downloader’ shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4611

Published : May 21, 2025, 12:16 p.m. | 2 hours, 34 minutes ago

Description : The Slim SEO – Fast & Automated WordPress SEO Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s slim_seo_breadcrumbs shortcode in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…