Total
310656 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-7403 | 2025-09-19 | N/A | 7.6 HIGH | ||
| Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption. | |||||
| CVE-2025-5948 | 2025-09-19 | N/A | 9.8 CRITICAL | ||
| The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's identity prior to claiming a business when using the claim_business AJAX action. This makes it possible for unauthenticated attackers to login as any user including admins. Please note that subscriber privileges or brute-forcing are needed when completing the business takeover. The claim_id is needed to takeover the admin account, but brute-forcing is a practical approach to obtaining valid IDs. | |||||
| CVE-2025-10458 | 2025-09-19 | N/A | 7.6 HIGH | ||
| Parameters are not validated or sanitized, and are later used in various internal operations. | |||||
| CVE-2025-10457 | 2025-09-19 | N/A | 4.3 MEDIUM | ||
| The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching. | |||||
| CVE-2025-10456 | 2025-09-19 | N/A | 7.1 HIGH | ||
| A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, including potential assertion failures, crashes, or memory corruption, depending on the BLE stack implementation. | |||||
| CVE-2025-5955 | 2025-09-19 | N/A | 8.1 HIGH | ||
| The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not verifying a user's phone number before logging them in. This makes it possible for unauthenticated attackers to login as arbitrary users. | |||||
| CVE-2025-10146 | 2025-09-19 | N/A | 6.1 MEDIUM | ||
| The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user_ids’ parameter in all versions up to, and including, 3.3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-8487 | 2025-09-19 | N/A | 5.4 MEDIUM | ||
| The Kubio AI Page Builder plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the kubio-image-hub-install-plugin AJAX action in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Image Hub plugin. | |||||
| CVE-2025-59717 | 2025-09-19 | N/A | 5.4 MEDIUM | ||
| In the @digitalocean/do-markdownit package through 1.16.1 (in npm), the callout and fence_environment plugins perform .includes substring matching if allowedClasses or allowedEnvironments is a string (instead of an array). | |||||
| CVE-2025-7937 | 2025-09-19 | N/A | 6.6 MEDIUM | ||
| There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW . An attacker can update the system firmware with a specially crafted image. | |||||
| CVE-2025-59715 | 2025-09-19 | N/A | 4.8 MEDIUM | ||
| SMSEagle before 6.11 allows reflected XSS via a username or contact phone number. | |||||
| CVE-2025-59714 | 2025-09-19 | N/A | 6.5 MEDIUM | ||
| In Internet2 Grouper 5.17.1 before 5.20.5, group admins who are not Grouper sysadmins can configure loader jobs. | |||||
| CVE-2025-59713 | 2025-09-19 | N/A | 6.8 MEDIUM | ||
| Snipe-IT before 8.1.18 allows unsafe deserialization. | |||||
| CVE-2025-59712 | 2025-09-19 | N/A | 6.4 MEDIUM | ||
| Snipe-IT before 8.1.18 allows XSS. | |||||
| CVE-2025-59678 | 2025-09-19 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-59677 | 2025-09-19 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-59676 | 2025-09-19 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-59675 | 2025-09-19 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-59674 | 2025-09-19 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-59673 | 2025-09-19 | N/A | N/A | ||
| Rejected reason: Not used | |||||