CVE-2025-8558 - "ITM Server Authentication Bypass"
CVE ID : CVE-2025-8558
Published : Nov. 3, 2025, 7:16 p.m. | 42 minutes ago
Description : Insider Threat Management (ITM) Server versions prior to 7.17.2 contain an authentication bypass vulnerability that allows unauthenticated users on an adjacent network to perform agent unregistration when the number of registered agents exceeds the licensed limit. Successful exploitation prevents the server from receiving new events from affected agents, resulting in a partial loss of integrity and availability with no impact to confidentiality.
Severity: 2.3 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-8558
Published : Nov. 3, 2025, 7:16 p.m. | 42 minutes ago
Description : Insider Threat Management (ITM) Server versions prior to 7.17.2 contain an authentication bypass vulnerability that allows unauthenticated users on an adjacent network to perform agent unregistration when the number of registered agents exceeds the licensed limit. Successful exploitation prevents the server from receiving new events from affected agents, resulting in a partial loss of integrity and availability with no impact to confidentiality.
Severity: 2.3 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12642 - HTTP Header Smuggling via Trailer Merge
CVE ID : CVE-2025-12642
Published : Nov. 3, 2025, 7:36 p.m. | 22 minutes ago
Description : lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditions This issue affects lighttpd1.4.80
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12642
Published : Nov. 3, 2025, 7:36 p.m. | 22 minutes ago
Description : lighttpd1.4.80 incorrectly merged trailer fields into headers after http request parsing. This behavior can be exploited to conduct HTTP Header Smuggling attacks. Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditions This issue affects lighttpd1.4.80
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12531 - IBM InfoSphere Information Server is affected by an XML external entity injection (XXE) vulnerability
CVE ID : CVE-2025-12531
Published : Nov. 3, 2025, 8:17 p.m. | 3 hours, 42 minutes ago
Description : IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12531
Published : Nov. 3, 2025, 8:17 p.m. | 3 hours, 42 minutes ago
Description : IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-50735 - NextChat WebDAV Directory Traversal Vulnerability
CVE ID : CVE-2025-50735
Published : Nov. 3, 2025, 8:19 p.m. | 3 hours, 40 minutes ago
Description : Directory traversal vulnerability in NextChat thru 2.16.0 due to the WebDAV proxy failing to canonicalize or reject dot path segments in its catch-all route, allowing attackers to gain sensitive information via authenticated or anonymous WebDAV endpoints.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-50735
Published : Nov. 3, 2025, 8:19 p.m. | 3 hours, 40 minutes ago
Description : Directory traversal vulnerability in NextChat thru 2.16.0 due to the WebDAV proxy failing to canonicalize or reject dot path segments in its catch-all route, allowing attackers to gain sensitive information via authenticated or anonymous WebDAV endpoints.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63593 - Grav CMS Cross Site Scripting (XSS) Vulnerability
CVE ID : CVE-2025-63593
Published : Nov. 3, 2025, 8:19 p.m. | 3 hours, 40 minutes ago
Description : Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63593
Published : Nov. 3, 2025, 8:19 p.m. | 3 hours, 40 minutes ago
Description : Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12657 - Malformed KMIP response may result in access violation
CVE ID : CVE-2025-12657
Published : Nov. 3, 2025, 9:18 p.m. | 2 hours, 41 minutes ago
Description : The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12657
Published : Nov. 3, 2025, 9:18 p.m. | 2 hours, 41 minutes ago
Description : The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63293 - FairSketch Rise Ultimate Project Manager & CRM Information Disclosure/Privilege Escalation
CVE ID : CVE-2025-63293
Published : Nov. 3, 2025, 9:19 p.m. | 2 hours, 40 minutes ago
Description : FairSketch Rise Ultimate Project Manager & CRM 3.9.4 is vulnerable to Insecure Permissions. A remote authenticated user can append comments or upload attachments to tickets for which they lack view or edit authorization, due to missing authorization checks in the ticketing/commenting API.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63293
Published : Nov. 3, 2025, 9:19 p.m. | 2 hours, 40 minutes ago
Description : FairSketch Rise Ultimate Project Manager & CRM 3.9.4 is vulnerable to Insecure Permissions. A remote authenticated user can append comments or upload attachments to tickets for which they lack view or edit authorization, due to missing authorization checks in the ticketing/commenting API.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2016-15054 - Nagios XI < 5.4.0 XSS via jQuery Migrate Library
CVE ID : CVE-2016-15054
Published : Nov. 3, 2025, 10:15 p.m. | 1 hour, 44 minutes ago
Description : Nagios XI versions prior to 5.4.0 are vulnerable to cross-site scripting (XSS) via the jQuery Migrate library. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2016-15054
Published : Nov. 3, 2025, 10:15 p.m. | 1 hour, 44 minutes ago
Description : Nagios XI versions prior to 5.4.0 are vulnerable to cross-site scripting (XSS) via the jQuery Migrate library. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2021-47698 - Nagios XI < 5.8.7 XSS in Core UI Views URL handling
CVE ID : CVE-2021-47698
Published : Nov. 3, 2025, 10:15 p.m. | 1 hour, 44 minutes ago
Description : Nagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UI’s Views URL handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2021-47698
Published : Nov. 3, 2025, 10:15 p.m. | 1 hour, 44 minutes ago
Description : Nagios XI versions prior to 5.8.7 using embedded Nagios Core are vulnerable to cross-site scripting (XSS) via the Core UI’s Views URL handling. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-13997 - Nagios XI < 2024R1.1.3 Privilege Escalation via Migrate Server Feature to Root on Host
CVE ID : CVE-2024-13997
Published : Nov. 3, 2025, 10:16 p.m. | 1 hour, 43 minutes ago
Description : Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level attacker could execute actions outside the intended security scope of the application, resulting in full control of the operating system.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-13997
Published : Nov. 3, 2025, 10:16 p.m. | 1 hour, 43 minutes ago
Description : Nagios XI versions prior to 2024R1.1.3 contain a privilege escalation vulnerability in which an authenticated administrator could leverage the Migrate Server feature to obtain root privileges on the underlying XI host. By abusing the migration workflow, an admin-level attacker could execute actions outside the intended security scope of the application, resulting in full control of the operating system.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-13998 - Nagios XI < 2024R1.1.3 API Keys & Hashed Passwords Authenticated Information Disclosure
CVE ID : CVE-2024-13998
Published : Nov. 3, 2025, 10:16 p.m. | 1 hour, 43 minutes ago
Description : Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. CVE-2024-13995 addresses a similar vulnerability with a potentially incomplete fix for the underlying problem in earlier versions.
Severity: 6.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-13998
Published : Nov. 3, 2025, 10:16 p.m. | 1 hour, 43 minutes ago
Description : Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. CVE-2024-13995 addresses a similar vulnerability with a potentially incomplete fix for the underlying problem in earlier versions.
Severity: 6.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11193 - "Lenovo Tablet Information Disclosure Vulnerability"
CVE ID : CVE-2025-11193
Published : Nov. 3, 2025, 10:18 p.m. | 1 hour, 41 minutes ago
Description : A potential vulnerability was reported in some Lenovo Tablets that could allow a local authenticated user or application to gain access to sensitive device specific information.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11193
Published : Nov. 3, 2025, 10:18 p.m. | 1 hour, 41 minutes ago
Description : A potential vulnerability was reported in some Lenovo Tablets that could allow a local authenticated user or application to gain access to sensitive device specific information.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-34501 - Shuffle Master Deck Mate 2 Hard-coded Credentials & Exposed Services
CVE ID : CVE-2025-34501
Published : Nov. 3, 2025, 10:18 p.m. | 1 hour, 41 minutes ago
Description : Deck Mate 2 is distributed with static, hard-coded credentials for the root shell and web user interface, while multiple management services (SSH, HTTP, Telnet, SMB, X11) are enabled by default. If an attacker can reach these interfaces - most often through local or near-local access such as connecting to the USB or Ethernet ports beneath the table - the built-in credentials permit administrative login and full control of the system. Once authenticated, an attacker can access firmware utilities, modify controller software, and establish persistent compromise. Remote attack paths via network, cellular, or telemetry links may exist in specific configurations but generally require additional capabilities or operator error. The vendor reports that USB access has been disabled in current firmware builds.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-34501
Published : Nov. 3, 2025, 10:18 p.m. | 1 hour, 41 minutes ago
Description : Deck Mate 2 is distributed with static, hard-coded credentials for the root shell and web user interface, while multiple management services (SSH, HTTP, Telnet, SMB, X11) are enabled by default. If an attacker can reach these interfaces - most often through local or near-local access such as connecting to the USB or Ethernet ports beneath the table - the built-in credentials permit administrative login and full control of the system. Once authenticated, an attacker can access firmware utilities, modify controller software, and establish persistent compromise. Remote attack paths via network, cellular, or telemetry links may exist in specific configurations but generally require additional capabilities or operator error. The vendor reports that USB access has been disabled in current firmware builds.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-36172 - Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for 24.0.0-IF007, 24.0.1-IF005 and 25.0.0-IF002
CVE ID : CVE-2025-36172
Published : Nov. 3, 2025, 10:18 p.m. | 1 hour, 41 minutes ago
Description : IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-36172
Published : Nov. 3, 2025, 10:18 p.m. | 1 hour, 41 minutes ago
Description : IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-43502 - Apple Safari iOS iPadOS VisionOS Privacy Bypass
CVE ID : CVE-2025-43502
Published : Nov. 4, 2025, 2:15 a.m. | 1 hour, 44 minutes ago
Description : A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. An app may be able to bypass certain Privacy preferences.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-43502
Published : Nov. 4, 2025, 2:15 a.m. | 1 hour, 44 minutes ago
Description : A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. An app may be able to bypass certain Privacy preferences.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-43503 - Apple Safari WatchOS iPadOS VisionOS UI Spoofing
CVE ID : CVE-2025-43503
Published : Nov. 4, 2025, 2:15 a.m. | 1 hour, 44 minutes ago
Description : An inconsistent user interface issue was addressed with improved state management. This issue is fixed in watchOS 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Visiting a malicious website may lead to user interface spoofing.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-43503
Published : Nov. 4, 2025, 2:15 a.m. | 1 hour, 44 minutes ago
Description : An inconsistent user interface issue was addressed with improved state management. This issue is fixed in watchOS 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Visiting a malicious website may lead to user interface spoofing.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-43504 - Apple Xcode Buffer Overflow Denial-of-Service
CVE ID : CVE-2025-43504
Published : Nov. 4, 2025, 2:15 a.m. | 1 hour, 44 minutes ago
Description : A buffer overflow was addressed with improved bounds checking. This issue is fixed in Xcode 26.1. A user in a privileged network position may be able to cause a denial-of-service.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-43504
Published : Nov. 4, 2025, 2:15 a.m. | 1 hour, 44 minutes ago
Description : A buffer overflow was addressed with improved bounds checking. This issue is fixed in Xcode 26.1. A user in a privileged network position may be able to cause a denial-of-service.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-43505 - Apple Xcode Heap Corruption Out-of-Bounds Write
CVE ID : CVE-2025-43505
Published : Nov. 4, 2025, 2:15 a.m. | 1 hour, 44 minutes ago
Description : An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in Xcode 26.1. Processing a maliciously crafted file may lead to heap corruption.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-43505
Published : Nov. 4, 2025, 2:15 a.m. | 1 hour, 44 minutes ago
Description : An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in Xcode 26.1. Processing a maliciously crafted file may lead to heap corruption.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-43507 - Apple Watch/Fingerprinting
CVE ID : CVE-2025-43507
Published : Nov. 4, 2025, 2:15 a.m. | 1 hour, 44 minutes ago
Description : A privacy issue was addressed by moving sensitive data. This issue is fixed in watchOS 26.1, iOS 26.1 and iPadOS 26.1, visionOS 26.1. An app may be able to fingerprint the user.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-43507
Published : Nov. 4, 2025, 2:15 a.m. | 1 hour, 44 minutes ago
Description : A privacy issue was addressed by moving sensitive data. This issue is fixed in watchOS 26.1, iOS 26.1 and iPadOS 26.1, visionOS 26.1. An app may be able to fingerprint the user.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11841 - Greenshift – animation and page builder blocks <= 12.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Chart Data Attributes
CVE ID : CVE-2025-11841
Published : Nov. 4, 2025, 3:15 a.m. | 44 minutes ago
Description : The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Chart Data attributes in all versions up to, and including, 12.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11841
Published : Nov. 4, 2025, 3:15 a.m. | 44 minutes ago
Description : The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Chart Data attributes in all versions up to, and including, 12.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12324 - TablePress – Tables in WordPress made easy <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVE ID : CVE-2025-12324
Published : Nov. 4, 2025, 3:15 a.m. | 44 minutes ago
Description : The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `table` shortcode attributes in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12324
Published : Nov. 4, 2025, 3:15 a.m. | 44 minutes ago
Description : The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `table` shortcode attributes in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...