CVE-2025-64232 - WordPress Import from YML plugin <= 3.1.17 - Cross Site Scripting (XSS) vulnerability
CVE ID : CVE-2025-64232
Published : Nov. 6, 2025, 4:16 p.m. | 3 hours, 37 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icopydoc Import from YML import-from-yml allows Reflected XSS.This issue affects Import from YML: from n/a through <= 3.1.17.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64232
Published : Nov. 6, 2025, 4:16 p.m. | 3 hours, 37 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icopydoc Import from YML import-from-yml allows Reflected XSS.This issue affects Import from YML: from n/a through <= 3.1.17.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64287 - WordPress Alloggio - Hotel Booking Theme theme <= 1.8 - Local File Inclusion vulnerability
CVE ID : CVE-2025-64287
Published : Nov. 6, 2025, 4:16 p.m. | 3 hours, 37 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Alloggio - Hotel Booking alloggio allows PHP Local File Inclusion.This issue affects Alloggio - Hotel Booking: from n/a through <= 1.8.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64287
Published : Nov. 6, 2025, 4:16 p.m. | 3 hours, 37 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Alloggio - Hotel Booking alloggio allows PHP Local File Inclusion.This issue affects Alloggio - Hotel Booking: from n/a through <= 1.8.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6325 - WordPress King Addons for Elementor plugin <= 51.1.36 - Privilege Escalation vulnerability
CVE ID : CVE-2025-6325
Published : Nov. 6, 2025, 4:16 p.m. | 3 hours, 37 minutes ago
Description : Incorrect Privilege Assignment vulnerability in KingAddons.com King Addons for Elementor king-addons allows Privilege Escalation.This issue affects King Addons for Elementor: from n/a through <= 51.1.36.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6325
Published : Nov. 6, 2025, 4:16 p.m. | 3 hours, 37 minutes ago
Description : Incorrect Privilege Assignment vulnerability in KingAddons.com King Addons for Elementor king-addons allows Privilege Escalation.This issue affects King Addons for Elementor: from n/a through <= 51.1.36.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6327 - WordPress King Addons for Elementor plugin <= 51.1.36 - Arbitrary File Upload vulnerability
CVE ID : CVE-2025-6327
Published : Nov. 6, 2025, 4:16 p.m. | 3 hours, 37 minutes ago
Description : Unrestricted Upload of File with Dangerous Type vulnerability in KingAddons.com King Addons for Elementor king-addons allows Upload a Web Shell to a Web Server.This issue affects King Addons for Elementor: from n/a through <= 51.1.36.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6327
Published : Nov. 6, 2025, 4:16 p.m. | 3 hours, 37 minutes ago
Description : Unrestricted Upload of File with Dangerous Type vulnerability in KingAddons.com King Addons for Elementor king-addons allows Upload a Web Shell to a Web Server.This issue affects King Addons for Elementor: from n/a through <= 51.1.36.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10885 - Privilege Escalation Vulnerability
CVE ID : CVE-2025-10885
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : A maliciously crafted file, when executed on the victim's machine, can lead to privilege escalation to NT AUTHORITY/SYSTEM due to an insufficient validation of loaded binaries. An attacker with local and low-privilege access could exploit this to execute code as SYSTEM.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10885
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : A maliciously crafted file, when executed on the victim's machine, can lead to privilege escalation to NT AUTHORITY/SYSTEM due to an insufficient validation of loaded binaries. An attacker with local and low-privilege access could exploit this to execute code as SYSTEM.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12485 - Devolutions Server Privilege Escalation Vulnerability
CVE ID : CVE-2025-12485
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : Improper privilege management during pre-MFA cookie handling in Devolutions Server 2025.3.5.0 and earlier allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12485
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : Improper privilege management during pre-MFA cookie handling in Devolutions Server 2025.3.5.0 and earlier allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12808 - Devolutions Server Unsecured Data Exposure
CVE ID : CVE-2025-12808
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : Improper access control in Devolutions Server 2025.3.5.0 and earlier allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12808
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : Improper access control in Devolutions Server 2025.3.5.0 and earlier allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59396 - WatchGuard Firebox Unauthenticated Remote Command Execution Vulnerability
CVE ID : CVE-2025-59396
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : The default configuration of WatchGuard Firebox devices through 2025-09-10 allows administrative access via SSH on port 4118 with the readwrite password for the admin account.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59396
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : The default configuration of WatchGuard Firebox devices through 2025-09-10 allows administrative access via SSH on port 4118 with the readwrite password for the admin account.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63560 - KiloView Denial of Service Vulnerability
CVE ID : CVE-2025-63560
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : An issue in KiloView Dual Channel 4k HDMI & 3G-SDI HEVC Video Encoder Firmware v.1.20.0006 allows a remote attacker to cause a denial of service via the systemctrl API System/reFactory component.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63560
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : An issue in KiloView Dual Channel 4k HDMI & 3G-SDI HEVC Video Encoder Firmware v.1.20.0006 allows a remote attacker to cause a denial of service via the systemctrl API System/reFactory component.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63588 - CMSimpleXH Reflected Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-63588
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a crafted request (e.g., a maliciously crafted POST login). Successful exploitation may lead to theft of session cookies, credential disclosure, or other client-side impacts.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63588
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a crafted request (e.g., a maliciously crafted POST login). Successful exploitation may lead to theft of session cookies, credential disclosure, or other client-side impacts.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63589 - CMSimple_XH Reflected Cross-Site Scripting (XSS)
CVE ID : CVE-2025-63589
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs, search form action, footer links). An attacker-controlled string placed in the URL path is reflected into multiple HTML elements, allowing execution of arbitrary JavaScript in victims' browsers visiting a crafted URL.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63589
Published : Nov. 6, 2025, 5:15 p.m. | 2 hours, 38 minutes ago
Description : A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs, search form action, footer links). An attacker-controlled string placed in the URL path is reflected into multiple HTML elements, allowing execution of arbitrary JavaScript in victims' browsers visiting a crafted URL.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12815 - AWS Research and Engineering Studio Desktop Session Metadata Disclosure
CVE ID : CVE-2025-12815
Published : Nov. 6, 2025, 6:15 p.m. | 1 hour, 38 minutes ago
Description : An ownership verification issue in the Virtual Desktop preview page in the Research and Engineering Studio (RES) on AWS before version 2025.09 may allow an authenticated remote user to view another user's active desktop session metadata, including periodical desktop preview screenshots. To mitigate this issue, users should upgrade to version 2025.09 or above.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12815
Published : Nov. 6, 2025, 6:15 p.m. | 1 hour, 38 minutes ago
Description : An ownership verification issue in the Virtual Desktop preview page in the Research and Engineering Studio (RES) on AWS before version 2025.09 may allow an authenticated remote user to view another user's active desktop session metadata, including periodical desktop preview screenshots. To mitigate this issue, users should upgrade to version 2025.09 or above.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-27916 - AnyDesk ID Spoofing Vulnerability
CVE ID : CVE-2025-27916
Published : Nov. 6, 2025, 6:15 p.m. | 1 hour, 38 minutes ago
Description : An issue was discovered in AnyDesk through 9.0.4. When the connection between two clients is established via an IP address, it is possible to manipulate the data and spoof the AnyDesk ID.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-27916
Published : Nov. 6, 2025, 6:15 p.m. | 1 hour, 38 minutes ago
Description : An issue was discovered in AnyDesk through 9.0.4. When the connection between two clients is established via an IP address, it is possible to manipulate the data and spoof the AnyDesk ID.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-27917 - AnyDesk Remote Denial of Service (DoS)
CVE ID : CVE-2025-27917
Published : Nov. 6, 2025, 6:15 p.m. | 1 hour, 38 minutes ago
Description : An issue was discovered in AnyDesk through 9.0.4. Remote Denial of Service can occur because of incorrect deserialization that results in failed memory allocation and a NULL pointer dereference.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-27917
Published : Nov. 6, 2025, 6:15 p.m. | 1 hour, 38 minutes ago
Description : An issue was discovered in AnyDesk through 9.0.4. Remote Denial of Service can occur because of incorrect deserialization that results in failed memory allocation and a NULL pointer dereference.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-27918 - AnyDesk UDP Heap Buffer Overflow
CVE ID : CVE-2025-27918
Published : Nov. 6, 2025, 6:15 p.m. | 1 hour, 38 minutes ago
Description : An issue was discovered in AnyDesk before 9.0.0. It has an integer overflow and resultant heap-based buffer overflow via a UDP packet during processing of an Identity user image within the Discovery feature, or when establishing a connection between any two clients.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-27918
Published : Nov. 6, 2025, 6:15 p.m. | 1 hour, 38 minutes ago
Description : An issue was discovered in AnyDesk before 9.0.0. It has an integer overflow and resultant heap-based buffer overflow via a UDP packet during processing of an Identity user image within the Discovery feature, or when establishing a connection between any two clients.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-27919 - AnyDesk Unauthorized Profile Password Creation
CVE ID : CVE-2025-27919
Published : Nov. 6, 2025, 6:15 p.m. | 1 hour, 38 minutes ago
Description : An issue was discovered in AnyDesk through 9.0.4. A remotely connected user with the "Control my device" permission can manipulate remote AnyDesk settings and create a password for the Full Access profile without needing confirmation from the counterparty. Consequently, the attacker can later connect without this counterparty confirmation.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-27919
Published : Nov. 6, 2025, 6:15 p.m. | 1 hour, 38 minutes ago
Description : An issue was discovered in AnyDesk through 9.0.4. A remotely connected user with the "Control my device" permission can manipulate remote AnyDesk settings and create a password for the Full Access profile without needing confirmation from the counterparty. Consequently, the attacker can later connect without this counterparty confirmation.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-25621 - containerd affected by a local privilege escalation via wide permissions on CRI directory
CVE ID : CVE-2024-25621
Published : Nov. 6, 2025, 7:15 p.m. | 38 minutes ago
Description : containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-25621
Published : Nov. 6, 2025, 7:15 p.m. | 38 minutes ago
Description : containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-22397 - Dell Integrated Dell Remote Access Controller Path Traversal Vulnerability
CVE ID : CVE-2025-22397
Published : Nov. 6, 2025, 7:15 p.m. | 38 minutes ago
Description : Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.181, 15G and 16G versions 6.10.80.00 through 7.20.10.50 and Dell Integrated Dell Remote Access Controller 10, 17G versions prior to 1.20.25.00, contain an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
Severity: 6.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-22397
Published : Nov. 6, 2025, 7:15 p.m. | 38 minutes ago
Description : Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.181, 15G and 16G versions 6.10.80.00 through 7.20.10.50 and Dell Integrated Dell Remote Access Controller 10, 17G versions prior to 1.20.25.00, contain an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
Severity: 6.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-31133 - runc container escape via "masked path" abuse due to mount race conditions
CVE ID : CVE-2025-31133
Published : Nov. 6, 2025, 7:15 p.m. | 38 minutes ago
Description : runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-31133
Published : Nov. 6, 2025, 7:15 p.m. | 38 minutes ago
Description : runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-60541 - Linshenkx Prompt-Optimizer SSRF
CVE ID : CVE-2025-60541
Published : Nov. 6, 2025, 7:15 p.m. | 38 minutes ago
Description : A Server-Side Request Forgery (SSRF) in the /api/proxy/ component of linshenkx prompt-optimizer v1.3.0 to v1.4.2 allows attackers to scan internal resources via a crafted request.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-60541
Published : Nov. 6, 2025, 7:15 p.m. | 38 minutes ago
Description : A Server-Side Request Forgery (SSRF) in the /api/proxy/ component of linshenkx prompt-optimizer v1.3.0 to v1.4.2 allows attackers to scan internal resources via a crafted request.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63551 - MetInfo SSRF via XML External Entity Injection
CVE ID : CVE-2025-63551
Published : Nov. 6, 2025, 7:15 p.m. | 38 minutes ago
Description : A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63551
Published : Nov. 6, 2025, 7:15 p.m. | 38 minutes ago
Description : A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...