Total
316927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41345 | 2025-11-04 | N/A | N/A | ||
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id_denuncia' and 'id_user' in '/backend/api/buscarDenunciasById.php'. | |||||
| CVE-2025-20739 | 2025-11-04 | N/A | 6.7 MEDIUM | ||
| In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00435340; Issue ID: MSV-4038. | |||||
| CVE-2025-41336 | 2025-11-04 | N/A | N/A | ||
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'web' in '/backend/api/buscarConfiguracionParametros.php'. | |||||
| CVE-2025-11704 | 2025-11-04 | N/A | 7.5 HIGH | ||
| The Elegance Menu plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the 'elegance-menu' attribute of the `elegance-menu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | |||||
| CVE-2025-27070 | 2025-11-04 | N/A | 7.8 HIGH | ||
| Memory corruption while performing encryption and decryption commands. | |||||
| CVE-2025-11007 | 2025-11-04 | N/A | 9.8 CRITICAL | ||
| The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wp_ajax_nopriv_ce21_single_sign_on_save_api_settings AJAX action in versions 2.2.1 to 2.3.1. This makes it possible for unauthenticated attackers to update the plugin's API settings including a secret key used for authentication. This allows unauthenticated attackers to create new admin accounts on an affected site. | |||||
| CVE-2025-12369 | 2025-11-04 | N/A | 6.4 MEDIUM | ||
| The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `geojsonmarker` shortcode in all versions up to, and including, 4.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-12400 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
| The LMB^Box Smileys plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2. This is due to missing or incorrect nonce validation on the manage_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-47357 | 2025-11-04 | N/A | 8.0 HIGH | ||
| Information Disclosure when a user-level driver performs QFPROM read or write operations on Fuse regions. | |||||
| CVE-2025-12158 | 2025-11-04 | N/A | 9.8 CRITICAL | ||
| The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role of any user account to administrator. | |||||
| CVE-2025-20746 | 2025-11-04 | N/A | 6.7 MEDIUM | ||
| In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010441; Issue ID: MSV-3967. | |||||
| CVE-2025-27064 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
| Information disclosure while registering commands from clients with diag through diagHal. | |||||
| CVE-2025-12412 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
| The Top Bar Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on th tbn_ajax_add() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-43431 | 2025-11-04 | N/A | 8.8 HIGH | ||
| The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1. Processing maliciously crafted web content may lead to memory corruption. | |||||
| CVE-2025-12156 | 2025-11-04 | N/A | 4.3 MEDIUM | ||
| The Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_post_data() function in versions 2.0.7 to 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create and publish arbitrary posts. | |||||
| CVE-2025-41112 | 2025-11-04 | N/A | N/A | ||
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'web' in '/backend/api/buscarConfiguracionParametros2.php'. | |||||
| CVE-2025-11724 | 2025-11-04 | N/A | 8.8 HIGH | ||
| The EM Beer Manager plugin for WordPress is vulnerable to arbitrary file upload leading to remote code execution in all versions up to, and including, 3.2.3. This is due to missing file type validation in the EMBM_Admin_Untappd_Import_image() function and missing authorization checks on the wp_ajax_embm-untappd-import action. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files including PHP files and execute code on the server granted they can provide a mock HTTP server that responds with specific JSON data. | |||||
| CVE-2025-41342 | 2025-11-04 | N/A | N/A | ||
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'id_user' in '/backend/api/buscarUsuarioId.php'. | |||||
| CVE-2025-47360 | 2025-11-04 | N/A | 7.8 HIGH | ||
| Memory corruption while processing client message during device management. | |||||
| CVE-2025-41111 | 2025-11-04 | N/A | N/A | ||
| A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'id_denuncia' in '/backend/api/buscarComentariosByDenuncia.php'. | |||||