CVE-2025-12904 - SNORDIAN's H5PxAPIkatchu <= 0.4.17 - Unauthenticated Stored Cross-Site Scripting via insert_data
CVE ID : CVE-2025-12904
Published : Nov. 14, 2025, 2:24 a.m. | 39 minutes ago
Description : The SNORDIAN's H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'insert_data' AJAX endpoint in all versions up to, and including, 0.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12904
Published : Nov. 14, 2025, 2:24 a.m. | 39 minutes ago
Description : The SNORDIAN's H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'insert_data' AJAX endpoint in all versions up to, and including, 0.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13097 - Google Chrome DevTools Sandbox Escape
CVE ID : CVE-2025-13097
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13097
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9479 - Google Chrome V8 Heap Corruption
CVE ID : CVE-2025-9479
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Out of bounds read in V8 in Google Chrome prior to 133.0.6943.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9479
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Out of bounds read in V8 in Google Chrome prior to 133.0.6943.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-13983 - Google Chrome iOS UI Spoofing Vulnerability
CVE ID : CVE-2024-13983
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in Lens in Google Chrome on iOS prior to 136.0.7103.59 allowed a remote attacker to perform UI spoofing via a crafted QR code. (Chromium security severity: Low)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-13983
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in Lens in Google Chrome on iOS prior to 136.0.7103.59 allowed a remote attacker to perform UI spoofing via a crafted QR code. (Chromium security severity: Low)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-11920 - Google Chrome Dawn Memory Access Vulnerability
CVE ID : CVE-2024-11920
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in Dawn in Google Chrome on Mac prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-11920
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in Dawn in Google Chrome on Mac prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-11919 - Google Chrome Android Intent UI Spoofing Vulnerability
CVE ID : CVE-2024-11919
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in Intents in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-11919
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in Intents in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13102 - Google Chrome Android WebApp Installs UI Spoofing Vulnerability
CVE ID : CVE-2025-13102
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in WebApp Installs in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13102
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in WebApp Installs in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-9126 - Google Chrome on iOS Use After Free in Internals
CVE ID : CVE-2024-9126
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Use after free in Internals in Google Chrome on iOS prior to 127.0.6533.88 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a series of curated UI gestures. (Chromium security severity: Medium)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-9126
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Use after free in Internals in Google Chrome on iOS prior to 127.0.6533.88 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a series of curated UI gestures. (Chromium security severity: Medium)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-7017 - Google Chrome DevTools Sandbox Escape Vulnerability
CVE ID : CVE-2024-7017
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in DevTools in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-7017
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in DevTools in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-13178 - Google Chrome Fullscreen UI Spoofing Vulnerability
CVE ID : CVE-2024-13178
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in Fullscreen in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-13178
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in Fullscreen in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-7021 - Google Chrome Autofill UI Spoofing Vulnerability
CVE ID : CVE-2024-7021
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in Autofill in Google Chrome on Windows prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-7021
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in Autofill in Google Chrome on Windows prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13107 - Google Chrome UI Spoofing Vulnerability
CVE ID : CVE-2025-13107
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in Compositing in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13107
Published : Nov. 14, 2025, 2:29 a.m. | 33 minutes ago
Description : Inappropriate implementation in Compositing in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13160 - IQ Service International|IQ-Support - Exposure of Sensitive Information
CVE ID : CVE-2025-13160
Published : Nov. 14, 2025, 4:15 a.m. | 2 hours, 47 minutes ago
Description : IQ-Support developed by IQ Service International has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access specific APIs to obtain sensitive information from the internal network.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13160
Published : Nov. 14, 2025, 4:15 a.m. | 2 hours, 47 minutes ago
Description : IQ-Support developed by IQ Service International has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access specific APIs to obtain sensitive information from the internal network.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13161 - IQ Service International|IQ-Support - Arbitrary File Read
CVE ID : CVE-2025-13161
Published : Nov. 14, 2025, 4:15 a.m. | 2 hours, 47 minutes ago
Description : IQ-Support developed by IQ Service International has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13161
Published : Nov. 14, 2025, 4:15 a.m. | 2 hours, 47 minutes ago
Description : IQ-Support developed by IQ Service International has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10686 - Creta Testimonial Showcase < 1.2.4 - Editor+ Local File Inclusion
CVE ID : CVE-2025-10686
Published : Nov. 14, 2025, 6:15 a.m. | 47 minutes ago
Description : The Creta Testimonial Showcase WordPress plugin before 1.2.4 is vulnerable to Local File Inclusion. This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10686
Published : Nov. 14, 2025, 6:15 a.m. | 47 minutes ago
Description : The Creta Testimonial Showcase WordPress plugin before 1.2.4 is vulnerable to Local File Inclusion. This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64444 - NCP-HG100 OS Command Injection Vulnerability
CVE ID : CVE-2025-64444
Published : Nov. 14, 2025, 6:15 a.m. | 47 minutes ago
Description : Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in NCP-HG100 1.4.48.16 and earlier. If exploited, a remote attacker who has obtained the authentication information to log in to the management page of the product may execute an arbitrary OS command with root privileges.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64444
Published : Nov. 14, 2025, 6:15 a.m. | 47 minutes ago
Description : Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in NCP-HG100 1.4.48.16 and earlier. If exploited, a remote attacker who has obtained the authentication information to log in to the management page of the product may execute an arbitrary OS command with root privileges.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11776 - Guest user can discover archived public channels
CVE ID : CVE-2025-11776
Published : Nov. 14, 2025, 8:15 a.m. | 2 hours, 48 minutes ago
Description : Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11776
Published : Nov. 14, 2025, 8:15 a.m. | 2 hours, 48 minutes ago
Description : Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-41436 - Unauthorized access to archived channel content via threads interface
CVE ID : CVE-2025-41436
Published : Nov. 14, 2025, 8:15 a.m. | 2 hours, 48 minutes ago
Description : Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
Severity: 3.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41436
Published : Nov. 14, 2025, 8:15 a.m. | 2 hours, 48 minutes ago
Description : Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
Severity: 3.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55070 - Lack of MFA enforcement in WebSocket connections
CVE ID : CVE-2025-55070
Published : Nov. 14, 2025, 8:15 a.m. | 2 hours, 48 minutes ago
Description : Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55070
Published : Nov. 14, 2025, 8:15 a.m. | 2 hours, 48 minutes ago
Description : Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55073 - MS Teams plugin OAuth allows editing arbitrary posts
CVE ID : CVE-2025-55073
Published : Nov. 14, 2025, 8:15 a.m. | 2 hours, 48 minutes ago
Description : Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55073
Published : Nov. 14, 2025, 8:15 a.m. | 2 hours, 48 minutes ago
Description : Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11794 - Password hash and MFA secret returned in user email verification endpoint
CVE ID : CVE-2025-11794
Published : Nov. 14, 2025, 10:45 a.m. | 18 minutes ago
Description : Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11794
Published : Nov. 14, 2025, 10:45 a.m. | 18 minutes ago
Description : Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...