Total
316927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-6027 | 2025-11-05 | N/A | N/A | ||
| The Ace User Management WordPress plugin through 2.0.3 does not properly validate that a password reset token is associated with the user who requested it, allowing any authenticated users, such as subscriber to reset the password of arbitrary accounts, including administrators. | |||||
| CVE-2025-21079 | 2025-11-05 | N/A | 7.1 HIGH | ||
| Improper input validation in Samsung Members prior to version 5.5.01.3 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for triggering this vulnerability. | |||||
| CVE-2025-21078 | 2025-11-05 | N/A | 8.8 HIGH | ||
| Use of insufficiently random value of secretKey in Smart Switch prior to version 3.7.68.6 allows adjacent attackers to access backup data from applications. | |||||
| CVE-2025-21077 | 2025-11-05 | N/A | 3.3 LOW | ||
| Improper input validation in Samsung Email prior to version 6.2.06.0 allows local attackers to launch arbitrary activity with Samsung Email privilege. | |||||
| CVE-2025-21076 | 2025-11-05 | N/A | 5.5 MEDIUM | ||
| Improper handling of insufficient permissions or privileges in Samsung Account prior to version 15.5.00.18 allows local attackers to access data in Samsung Account. User interaction is required for triggering this vulnerability. | |||||
| CVE-2025-21075 | 2025-11-05 | N/A | 4.3 MEDIUM | ||
| Out-of-bounds write in libimagecodec.quram.so prior to SMR Nov-2025 Release 1 allows remote attackers to access out-of-bounds memory. | |||||
| CVE-2025-21074 | 2025-11-05 | N/A | 4.3 MEDIUM | ||
| Out-of-bounds read in libimagecodec.quram.so prior to SMR Nov-2025 Release 1 allows remote attackers to access out-of-bounds memory. | |||||
| CVE-2025-21073 | 2025-11-05 | N/A | 6.8 MEDIUM | ||
| Insecure default configuration in USB connection mode prior to SMR Nov-2025 Release 1 allows privileged physical attackers to access user data. User interaction is required for triggering this vulnerability. | |||||
| CVE-2025-21071 | 2025-11-05 | N/A | 5.7 MEDIUM | ||
| Out-of-bounds write in handling opcode in fingerprint trustlet prior to SMR Nov-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. | |||||
| CVE-2025-11749 | 2025-11-05 | N/A | 9.8 CRITICAL | ||
| The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract the bearer token, which can be used to gain access to a valid session and perform many actions like creating a new administrator account, leading to privilege escalation. | |||||
| CVE-2025-11072 | 2025-11-05 | N/A | N/A | ||
| The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files. | |||||
| CVE-2025-10873 | 2025-11-05 | N/A | N/A | ||
| The ElementInvader Addons for Elementor WordPress plugin before 1.4.1 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses due to missing authorization on the elementinvader_addons_for_elementor_forms_send_form action. | |||||
| CVE-2025-10567 | 2025-11-05 | N/A | N/A | ||
| The FunnelKit WordPress plugin before 3.12.0.1 does not sanitize user input before echoing it back in some of its checkout-related AJAX actions, allowing attackers to conduct reflected XSS attacks against logged-in users. | |||||
| CVE-2025-12197 | 2025-11-05 | N/A | 7.5 HIGH | ||
| The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2025-11162 | 2025-11-05 | N/A | 6.4 MEDIUM | ||
| The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-64455 | 2025-11-05 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-64454 | 2025-11-05 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-64453 | 2025-11-05 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-64452 | 2025-11-05 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-64451 | 2025-11-05 | N/A | N/A | ||
| Rejected reason: Not used | |||||