Total
302268 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-44860 | 1 Solvait | 1 Solvait | 2025-07-10 | N/A | 7.5 HIGH |
| An information disclosure vulnerability in the /Letter/PrintQr/ endpoint of Solvait v24.4.2 allows attackers to access sensitive data via a crafted request. | |||||
| CVE-2025-26663 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-07-10 | N/A | 8.1 HIGH |
| Use after free in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2025-37097 | 1 Hpe | 1 Insight Remote Support | 2025-07-10 | N/A | 7.5 HIGH |
| A vulnerability in HPE Insight Remote Support (IRS) prior to v7.15.0.646 may allow an unauthenticated denial of service | |||||
| CVE-2024-41659 | 1 Usememos | 1 Memos | 2025-07-10 | N/A | 8.1 HIGH |
| memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0. | |||||
| CVE-2025-37098 | 1 Hpe | 1 Insight Remote Support | 2025-07-10 | N/A | 7.5 HIGH |
| A path traversal vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646. | |||||
| CVE-2024-6883 | 1 Eventespresso | 1 Event Espresso | 2025-07-10 | N/A | 4.3 MEDIUM |
| The Event Espresso 4 Decaf – Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to, and including, 5.0.22.decaf. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify some of the plugin settings. | |||||
| CVE-2025-37099 | 1 Hpe | 1 Insight Remote Support | 2025-07-10 | N/A | 9.8 CRITICAL |
| A remote code execution vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646. | |||||
| CVE-2024-46097 | 1 Testlink | 1 Testlink | 2025-07-10 | N/A | 8.1 HIGH |
| TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. When a new TestPlan is created, an ID with an incremental value is automatically generated. Using the edit function you can change the tplan_id parameter to another ID. The application does not carry out a check on the user's permissions maing it possible to recover the IDs of all the TestPlans (even the administrative ones) and modify them even with minimal privileges. | |||||
| CVE-2025-5692 | 1 Smackcoders | 1 Lead Form Data Collection To Crm | 2025-07-10 | N/A | 8.8 HIGH |
| The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the doFieldAjaxAction() function in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Other AJAX actions handling plugin settings are also insufficiently protected and exploitable. | |||||
| CVE-2024-5335 | 1 Bdthemes | 1 Ultimate Store Kit | 2025-07-10 | N/A | 9.8 CRITICAL |
| The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the _ultimate_store_kit_compare_products cookie in versions up to , and including, 1.6.4. This makes it possible for an unauthenticated attacker to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker or above to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2024-8030 | 1 Bdthemes | 1 Ultimate Store Kit | 2025-07-10 | N/A | 9.8 CRITICAL |
| The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the _ultimate_store_kit_wishlist cookie in versions up to , and including, 2.0.3. This makes it possible for an unauthenticated attacker to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker or above to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2022-2440 | 1 Themeeditor | 1 Theme Editor | 2025-07-10 | N/A | 7.2 HIGH |
| The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. | |||||
| CVE-2024-7435 | 1 Wpattire | 1 Attire | 2025-07-10 | N/A | 8.8 HIGH |
| The Attire theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.6 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2024-25411 | 1 Flatpress | 1 Flatpress | 2025-07-10 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter in setup.php. | |||||
| CVE-2024-13451 | 1 Bitapps | 1 Bit Form | 2025-07-10 | N/A | 5.3 MEDIUM |
| The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.17.4 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form. The vulnerability was partially patched in version 2.17.5. | |||||
| CVE-2024-7620 | 1 Fastlinemedia | 1 Customizer Export\/import | 2025-07-10 | N/A | 6.6 MEDIUM |
| The Customizer Export/Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_import' function in all versions up to, and including, 0.9.7. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: This vulnerability is only exploitable when used in conjunction with a race condition as the uploaded file is deleted shortly after it is created. | |||||
| CVE-2023-37230 | 1 Loftware | 1 Spectrum | 2025-07-10 | N/A | 8.8 HIGH |
| Loftware Spectrum (testDeviceConnection) before 5.1 allows SSRF. | |||||
| CVE-2025-26652 | 1 Microsoft | 5 Windows Server 2012, Windows Server 2016, Windows Server 2019 and 2 more | 2025-07-10 | N/A | 7.5 HIGH |
| Uncontrolled resource consumption in Windows Standards-Based Storage Management Service allows an unauthorized attacker to deny service over a network. | |||||
| CVE-2024-44867 | 1 Phpok | 1 Phpok | 2025-07-10 | N/A | 7.5 HIGH |
| phpok v3.0 was discovered to contain an arbitrary file read vulnerability via the component /autoload/file.php. | |||||
| CVE-2025-26651 | 1 Microsoft | 6 Windows 11 22h2, Windows 11 23h2, Windows 11 24h2 and 3 more | 2025-07-10 | N/A | 6.5 MEDIUM |
| Exposed dangerous method or function in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network. | |||||