Security

CVE ID : CVE-2025-4564

Published : May 15, 2025, 12:15 p.m. | 42 minutes ago

Description : The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the ‘delpdf’ action in all versions up to, and including, 3.18. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4762

Published : May 15, 2025, 12:15 p.m. | 42 minutes ago

Description : Insecure Direct Object Reference (IDOR) vulnerability in the eSignaViewer component in eSigna product versions 1.0 to 1.5 on all platforms allow an unauthenticated attacker to access arbitrary files in the document system via manipulation of file paths and object identifiers.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-32002

Published : May 15, 2025, 9:15 a.m. | 1 hour, 44 minutes ago

Description : Improper neutralization of special elements used in an OS command (‘OS Command Injection’) issue exists in I-O DATA network attached hard disk ‘HDL-T Series’ firmware Ver.1.21 and earlier when ‘Remote Link3 function’ is enabled. If exploited, a remote unauthenticated attacker may execute an arbitrary OS command.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-32738

Published : May 15, 2025, 9:15 a.m. | 2 hours, 52 minutes ago

Description : Missing authentication for critical function issue exists in I-O DATA network attached hard disk ‘HDL-T Series’ firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings.

Severity: 5.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-31947

Published : May 15, 2025, 11:15 a.m. | 52 minutes ago

Description : Mattermost versions 10.6.x
Severity: 5.8 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3446

Published : May 15, 2025, 11:15 a.m. | 52 minutes ago

Description : Mattermost versions 10.6.x
Severity: 4.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3053

Published : May 15, 2025, 5:15 a.m. | 1 hour, 40 minutes ago

Description : The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function. This is due to the function taking user supplied inputs to execute arbitrary functions with arbitrary data, and does not have any sort of capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary code on the server.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-48024

Published : May 15, 2025, 5:15 a.m. | 3 hours, 31 minutes ago

Description : In BlueWave Checkmate before 2.1, an authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint.

Severity: 5.0 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2024-13914

Published : May 15, 2025, 6:15 a.m. | 2 hours, 31 minutes ago

Description : The File Manager Advanced Shortcode WordPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.4 (file-manager-advanced-shortcode) and 2.5.6 (advanced-file-manager-pro-premium), via the ‘file_manager_advanced’ shortcode. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary JavaScript files on the server. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Sites currently using 2.5.4 (file-manager-advanced-shortcode) should be updated to 2.6.0 (advanced-file-manager-pro-premium).

Severity: 7.2 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3742

Published : May 15, 2025, 6:15 a.m. | 2 hours, 31 minutes ago

Description : The Responsive Lightbox & Gallery WordPress plugin before 2.5.1 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-48027

Published : May 15, 2025, 6:15 a.m. | 2 hours, 31 minutes ago

Description : The HttpAuth plugin in pGina.Fork through 3.9.9.12 allows authentication bypass when an adversary controls DNS resolution for pginaloginserver.

Severity: 5.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-27523

Published : May 15, 2025, 7:15 a.m. | 1 hour, 31 minutes ago

Description : XXE vulnerability in Hitachi JP1/IT Desktop Management 2 – Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 – Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.

Severity: 8.7 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-27524

Published : May 15, 2025, 7:15 a.m. | 1 hour, 31 minutes ago

Description : Weak encryption vulnerability in Hitachi JP1/IT Desktop Management 2 – Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 – Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.

Severity: 5.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-27525

Published : May 15, 2025, 7:15 a.m. | 1 hour, 31 minutes ago

Description : Information Exposure vulnerability in Hitachi JP1/IT Desktop Management 2 – Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 – Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.

Severity: 3.9 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4737

Published : May 15, 2025, 8:15 a.m. | 31 minutes ago

Description : Insufficient encryption vulnerability in the mobile application (com.transsion.aivoiceassistant) may lead to the risk of sensitive information leakage.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4589

Published : May 15, 2025, 4:16 a.m. | 39 minutes ago

Description : The Bon Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘bt-map’ shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4126

Published : May 15, 2025, 4:16 a.m. | 39 minutes ago

Description : The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers – with contributor-level access and above, on sites with the Classic Editor plugin activated – to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4591

Published : May 15, 2025, 4:16 a.m. | 39 minutes ago

Description : The Weluka Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘weluka-map’ shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-32421

Published : May 14, 2025, 11:15 p.m. | 3 hours, 51 minutes ago

Description : Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel’s platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.

Severity: 3.7 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46836

Published : May 14, 2025, 11:15 p.m. | 3 hours, 51 minutes ago

Description : net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Inn versions up to and including 2.10, the Linux network utilities (like ifconfig) from the net-tools package do not properly validate the structure of /proc files when showing interfaces. `get_name()` in `interface.c` copies interface labels from `/proc/net/dev` into a fixed 16-byte stack buffer without bounds checking, leading to possible arbitrary code execution or crash. The known attack path does not require privilege but also does not provide privilege escalation in this scenario. A patch is available and expected to be part of version 2.20.

Severity: 6.6 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…