Security

CVE ID : CVE-2025-46573

Published : May 6, 2025, 9:16 p.m. | 2 hours, 41 minutes ago

Description : passport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response. Users are affected specifically when the service provider is using `passport-wsfed-saml2` and a valid SAML Response signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-47418

Published : May 6, 2025, 9:16 p.m. | 2 hours, 41 minutes ago

Description : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse.

There is no visible indication when the system is recording and recording can be enabled remotely via a network API.
This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-47419

Published : May 6, 2025, 9:16 p.m. | 2 hours, 41 minutes ago

Description : Cleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic.

The device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords.

This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-0853

Published : May 6, 2025, 10:15 p.m. | 1 hour, 42 minutes ago

Description : The PGS Core plugin for WordPress is vulnerable to SQL Injection via the ‘event’ parameter in the ‘save_header_builder’ function in all versions up to, and including, 5.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Severity: 7.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-47420

Published : May 6, 2025, 10:15 p.m. | 1 hour, 42 minutes ago

Description : 266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4372

Published : May 6, 2025, 10:15 p.m. | 1 hour, 42 minutes ago

Description : Use after free in WebAudio in Google Chrome prior to 136.0.7103.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-0855

Published : May 6, 2025, 11:15 p.m. | 42 minutes ago

Description : The PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the ‘import_header’ function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-0856

Published : May 6, 2025, 11:15 p.m. | 42 minutes ago

Description : The PGS Core plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.8.0. This makes it possible for unauthenticated attackers to add, modify, or plugin options.

Severity: 7.3 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-22477

Published : May 6, 2025, 4:15 p.m. | 1 hour, 59 minutes ago

Description : Dell Storage Center – Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges.

Severity: 8.3 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-22478

Published : May 6, 2025, 4:15 p.m. | 1 hour, 59 minutes ago

Description : Dell Storage Center – Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering.

Severity: 8.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-45487

Published : May 6, 2025, 4:15 p.m. | 3 hours, 19 minutes ago

Description : Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.InternetConnection function.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-45489

Published : May 6, 2025, 4:15 p.m. | 3 hours, 19 minutes ago

Description : Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the hostname parameter.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-45488

Published : May 6, 2025, 4:15 p.m. | 3 hours, 19 minutes ago

Description : Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the mailex parameter.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-45490

Published : May 6, 2025, 4:15 p.m. | 3 hours, 19 minutes ago

Description : Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the password parameter.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-45491

Published : May 6, 2025, 4:15 p.m. | 3 hours, 19 minutes ago

Description : Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the username parameter.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-45492

Published : May 6, 2025, 4:15 p.m. | 3 hours, 19 minutes ago

Description : Netgear EX8000 V1.0.0.126 is vulnerable to Command Injection via the Iface parameter in the action_wireless function.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4363

Published : May 6, 2025, 4:15 p.m. | 3 hours, 19 minutes ago

Description : A vulnerability, which was classified as critical, has been found in itsourcecode Gym Management System 1.0. This issue affects some unknown processing of the file /ajax.php?action=end_membership. The manipulation of the argument rid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Severity: 7.3 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4368

Published : May 6, 2025, 4:15 p.m. | 3 hours, 19 minutes ago

Description : A vulnerability, which was classified as critical, was found in Tenda AC8 16.03.34.06. Affected is the function formGetRouterStatus of the file /goform/MtuSetMacWan. The manipulation of the argument shareSpeed leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4384

Published : May 6, 2025, 4:15 p.m. | 3 hours, 19 minutes ago

Description : The MQTT add-on of PcVue fails to verify that a remote device’s certificate has not already expired or has not yet become valid. This allows malicious devices to present certificates that are not rejected properly.

The use of a client certificate reduces the risk for random devices to take advantage of this flaw.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2023-33770

Published : May 6, 2025, 5:15 p.m. | 2 hours, 19 minutes ago

Description : Real Estate Management System v1.0 was discovered to contain a SQL injection vulnerability via the message parameter at /contact.php.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…