Security

CVE ID : CVE-2025-5840

Published : June 7, 2025, 6:15 p.m. | 1 hour, 38 minutes ago

Description : A vulnerability, which was classified as critical, was found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_update_customer_order.php. The manipulation of the argument uploaded_file leads to unrestricted upload. It is possible to initiate the attack remotely.

Severity: 7.3 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2024-55585

Published : June 7, 2025, 7:15 p.m. | 38 minutes ago

Description : In the moPS App through 1.8.618, all users can access administrative API endpoints without additional authentication, resulting in unrestricted read and write access.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2024-9993

Published : June 7, 2025, 12:15 p.m. | 3 hours, 15 minutes ago

Description : The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_event_details_text parameter of Event Calendar Widget in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2024-9994

Published : June 7, 2025, 12:15 p.m. | 3 hours, 15 minutes ago

Description : The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_pricing_item_tooltip_content parameter of the Pricing Table Widget in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5568

Published : June 7, 2025, 12:15 p.m. | 3 hours, 15 minutes ago

Description : The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5528

Published : June 7, 2025, 12:15 p.m. | 3 hours, 15 minutes ago

Description : The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.75 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link.

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-49619

Published : June 7, 2025, 2:15 p.m. | 1 hour, 14 minutes ago

Description : Skyvern through 0.1.85 has a Jinja runtime leak in sdk/workflow/models/block.py.

Severity: 8.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5836

Published : June 7, 2025, 2:15 p.m. | 1 hour, 15 minutes ago

Description : A vulnerability was found in Tenda AC9 15.03.02.13. It has been rated as critical. This issue affects the function formSetIptv of the file /goform/SetIPTVCfg of the component POST Request Handler. The manipulation of the argument list leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Severity: 6.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5837

Published : June 7, 2025, 2:15 p.m. | 1 hour, 15 minutes ago

Description : A vulnerability classified as critical has been found in PHPGurukul Employee Record Management System 1.3. Affected is an unknown function of the file /admin/allemployees.php. The manipulation of the argument delid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Severity: 6.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5399

Published : June 7, 2025, 8:15 a.m. | 2 hours, 30 minutes ago

Description : Due to a mistake in libcurl’s WebSocket code, a malicious server can send a
particularly crafted packet which makes libcurl get trapped in an endless
busy-loop.

There is no other way for the application to escape or exit this loop other
than killing the thread/process.

This might be used to DoS libcurl-using application.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5303

Published : June 7, 2025, 9:15 a.m. | 1 hour, 30 minutes ago

Description : The LTL Freight Quotes – Freightview Edition, LTL Freight Quotes – Daylight Edition and LTL Freight Quotes – Day & Ross Edition plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the expiry_date parameter in all versions up to, and including, 1.0.11, 2.2.6 and 2.1.10 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 7.2 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-47601

Published : June 7, 2025, 5:15 a.m. | 2 hours, 35 minutes ago

Description : Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through 2.1.0.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5814

Published : June 7, 2025, 5:15 a.m. | 2 hours, 35 minutes ago

Description : The Profiler – What Slowing Down Your WP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpsd_plugin_control() function in all versions up to, and including, 1.0.0. This makes it possible for unauthenticated attackers to reactivate previously deactivated plugins after accessing the “Profiler” page.

Severity: 5.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5799

Published : June 6, 2025, 8:15 p.m. | 1 hour, 59 minutes ago

Description : A vulnerability was found in Tenda AC8 16.03.34.09. It has been declared as critical. Affected by this vulnerability is the function fromSetWirelessRepeat of the file /goform/WifiExtraSet. The manipulation of the argument wpapsk_crypto leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5798

Published : June 6, 2025, 8:15 p.m. | 1 hour, 59 minutes ago

Description : A vulnerability was found in Tenda AC8 16.03.34.09. It has been classified as critical. Affected is the function fromSetSysTime of the file /goform/SetSysTimeCfg. The manipulation of the argument timeType leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-49127

Published : June 6, 2025, 9:15 p.m. | 2 hours, 34 minutes ago

Description : Kafbat UI is a web user interface for managing Apache Kafka clusters. An unsafe deserialization vulnerability in version 1.0.0 allows any unauthenticated user to execute arbitrary code on the server. Version 1.1.0 fixes the issue.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-49128

Published : June 6, 2025, 10:15 p.m. | 1 hour, 34 minutes ago

Description : Jackson-core contains core low-level incremental (“streaming”) parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core’s `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible information disclosure in systems using pooled or reused buffers, like Netty or Vert.x. This issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via PR #652. All users should upgrade to version 2.13.0 or later. If upgrading is not immediately possible, applications can mitigate the issue by disabling exception message exposure to clients to avoid returning parsing exception messages in HTTP responses and/or disabling source inclusion in exceptions to prevent Jackson from embedding any source content in exception messages, avoiding leakage.

Severity: 4.0 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5747

Published : June 6, 2025, 4:15 p.m. | 1 hour, 44 minutes ago

Description : WOLFBOX Level 2 EV Charger MCU Command Parsing Misinterpretation of Input Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installatons of WOLFBOX Level 2 EV Charger devices. Authentication is required to exploit this vulnerability.

The specific flaw exists within the handling of command frames received by the MCU. When parsing frames, the process does not properly detect the start of a frame, which can lead to misinterpretation of input. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the device. Was ZDI-CAN-26501.

Severity: 8.0 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5748

Published : June 6, 2025, 4:15 p.m. | 1 hour, 44 minutes ago

Description : WOLFBOX Level 2 EV Charger LAN OTA Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WOLFBOX Level 2 EV Charger. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the Tuya communications module software. The issue results from the exposure of a method allowing the upload of crafted software images to the module. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26349.

Severity: 8.0 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5750

Published : June 6, 2025, 4:15 p.m. | 3 hours, 33 minutes ago

Description : WOLFBOX Level 2 EV Charger tuya_svc_devos_activate_result_parse Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WOLFBOX Level 2 EV Charger. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of the secKey, localKey, stdTimeZone and devId parameters. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26294.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…