CVE-2025-62848 - QTS, QuTS hero
CVE ID : CVE-2025-62848
Published : Dec. 16, 2025, 3:15 a.m. | 36 minutes ago
Description : A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62848
Published : Dec. 16, 2025, 3:15 a.m. | 36 minutes ago
Description : A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62849 - QTS, QuTS hero
CVE ID : CVE-2025-62849
Published : Dec. 16, 2025, 3:15 a.m. | 36 minutes ago
Description : An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later
Severity: 5.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62849
Published : Dec. 16, 2025, 3:15 a.m. | 36 minutes ago
Description : An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later
Severity: 5.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13956 - LearnPress – WordPress LMS Plugin <= 4.3.1 - Missing Authorization to Unauthenticated Orders Statistics Exposure
CVE ID : CVE-2025-13956
Published : Dec. 16, 2025, 5:16 a.m. | 2 hours, 37 minutes ago
Description : The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13956
Published : Dec. 16, 2025, 5:16 a.m. | 2 hours, 37 minutes ago
Description : The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14777 - Keycloak: keycloak idor in realm client creating/deleting
CVE ID : CVE-2025-14777
Published : Dec. 16, 2025, 5:16 a.m. | 2 hours, 37 minutes ago
Description : A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.
Severity: 6.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14777
Published : Dec. 16, 2025, 5:16 a.m. | 2 hours, 37 minutes ago
Description : A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID.
Severity: 6.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59479 - CHOCO TEI WATCHER mini Cross-Site Scripting (XSS)
CVE ID : CVE-2025-59479
Published : Dec. 16, 2025, 5:16 a.m. | 2 hours, 37 minutes ago
Description : CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper restriction of rendered UI layers or frames. If a user clicks on content on a malicious web page while logged into the product, unintended operations may be performed on the product.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59479
Published : Dec. 16, 2025, 5:16 a.m. | 2 hours, 37 minutes ago
Description : CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper restriction of rendered UI layers or frames. If a user clicks on content on a malicious web page while logged into the product, unintended operations may be performed on the product.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-61976 - CHOCO TEI WATCHER mini Denial of Service (DoS)
CVE ID : CVE-2025-61976
Published : Dec. 16, 2025, 5:16 a.m. | 2 hours, 37 minutes ago
Description : CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions. If a remote attacker sends a specially crafted request to the Video Download interface, the system may become unresponsive.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-61976
Published : Dec. 16, 2025, 5:16 a.m. | 2 hours, 37 minutes ago
Description : CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions. If a remote attacker sends a specially crafted request to the Video Download interface, the system may become unresponsive.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66357 - Choco TEI Watcher mini Denial of Service
CVE ID : CVE-2025-66357
Published : Dec. 16, 2025, 5:16 a.m. | 2 hours, 37 minutes ago
Description : CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions. When the Video Download feature is in a specific communication state, the product's resources may be consumed abnormally.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66357
Published : Dec. 16, 2025, 5:16 a.m. | 2 hours, 37 minutes ago
Description : CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions. When the Video Download feature is in a specific communication state, the product's resources may be consumed abnormally.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12809 - dokan pro <= 4.1.3 - Missing Authorization to Unauthenticated Sensitive Information Exposure
CVE ID : CVE-2025-12809
Published : Dec. 16, 2025, 6:15 a.m. | 1 hour, 37 minutes ago
Description : The Dokan Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/dokan/v1/wholesale/register` REST API endpoint in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to enumerate users and retrieve their email addresses via the REST API by providing a user ID, along with other information such as usernames, display names, user roles, and registration dates.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12809
Published : Dec. 16, 2025, 6:15 a.m. | 1 hour, 37 minutes ago
Description : The Dokan Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/dokan/v1/wholesale/register` REST API endpoint in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to enumerate users and retrieve their email addresses via the REST API by providing a user ID, along with other information such as usernames, display names, user roles, and registration dates.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13794 - Auto Featured Image <= 4.2.1 - Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification
CVE ID : CVE-2025-13794
Published : Dec. 16, 2025, 6:15 a.m. | 1 hour, 37 minutes ago
Description : The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13794
Published : Dec. 16, 2025, 6:15 a.m. | 1 hour, 37 minutes ago
Description : The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14252 - Advantech SUSI Improper Access Control Vulnerability
CVE ID : CVE-2025-14252
Published : Dec. 16, 2025, 6:15 a.m. | 1 hour, 37 minutes ago
Description : An Improper Access Control vulnerability in Advantech SUSI driver (susi.sys) allows attackers to read/write arbitrary memory, I/O ports, and MSRs, resulting in privilege escalation, arbitrary code execution, and information disclosure. This issue affects Advantech SUSI: 5.0.24335 and prior.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14252
Published : Dec. 16, 2025, 6:15 a.m. | 1 hour, 37 minutes ago
Description : An Improper Access Control vulnerability in Advantech SUSI driver (susi.sys) allows attackers to read/write arbitrary memory, I/O ports, and MSRs, resulting in privilege escalation, arbitrary code execution, and information disclosure. This issue affects Advantech SUSI: 5.0.24335 and prior.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62330 - HCL DevOps Deploy is susceptible to a cleartext transmission of sensitive information
CVE ID : CVE-2025-62330
Published : Dec. 16, 2025, 7:15 a.m. | 37 minutes ago
Description : HCL DevOps Deploy is susceptible to a cleartext transmission of sensitive information because the HTTP port remains accessible and does not redirect to HTTPS as intended. As a result, an attacker with network access could intercept or modify user credentials and session-related data via passive monitoring or man-in-the-middle attacks.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62330
Published : Dec. 16, 2025, 7:15 a.m. | 37 minutes ago
Description : HCL DevOps Deploy is susceptible to a cleartext transmission of sensitive information because the HTTP port remains accessible and does not redirect to HTTPS as intended. As a result, an attacker with network access could intercept or modify user credentials and session-related data via passive monitoring or man-in-the-middle attacks.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66635 - Seiko Epson Web Config Stack-based Buffer Overflow Vulnerability
CVE ID : CVE-2025-66635
Published : Dec. 16, 2025, 7:15 a.m. | 37 minutes ago
Description : Stack-based buffer overflow vulnerability exists in SEIKO EPSON Web Config. Specially crafted data input by a logged-in user may execute arbitrary code. As for the details of the affected products and versions, see the information provided by the vendor under [References].
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66635
Published : Dec. 16, 2025, 7:15 a.m. | 37 minutes ago
Description : Stack-based buffer overflow vulnerability exists in SEIKO EPSON Web Config. Specially crafted data input by a logged-in user may execute arbitrary code. As for the details of the affected products and versions, see the information provided by the vendor under [References].
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13439 - Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Information Disclosure via 'url' Parameter
CVE ID : CVE-2025-13439
Published : Dec. 16, 2025, 7:21 a.m. | 32 minutes ago
Description : The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the fpd_custom_uplod_file AJAX action, which flows directly into the getimagesize() function without sanitization. While direct exploitation via PHP filter chains is blocked on PHP 8+ due to a separate code bug in the plugin, the vulnerability can be exploited via a TOCTOU race condition (CVE-2025-13231) also present in the same plugin, or may be directly exploitable on PHP 7.x installations. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13439
Published : Dec. 16, 2025, 7:21 a.m. | 32 minutes ago
Description : The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the fpd_custom_uplod_file AJAX action, which flows directly into the getimagesize() function without sanitization. While direct exploitation via PHP filter chains is blocked on PHP 8+ due to a separate code bug in the plugin, the vulnerability can be exploited via a TOCTOU race condition (CVE-2025-13231) also present in the same plugin, or may be directly exploitable on PHP 7.x installations. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11991 - JetFormBuilder <= 3.5.3 - Missing Authorization to Unauthenticated Form Generation
CVE ID : CVE-2025-11991
Published : Dec. 16, 2025, 7:21 a.m. | 32 minutes ago
Description : The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11991
Published : Dec. 16, 2025, 7:21 a.m. | 32 minutes ago
Description : The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68061 - WordPress EduMall theme <= 4.4.7 - Local File Inclusion vulnerability
CVE ID : CVE-2025-68061
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove EduMall edumall allows PHP Local File Inclusion.This issue affects EduMall: from n/a through <= 4.4.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68061
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove EduMall edumall allows PHP Local File Inclusion.This issue affects EduMall: from n/a through <= 4.4.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68062 - WordPress MinimogWP theme <= 3.9.6 - Local File Inclusion vulnerability
CVE ID : CVE-2025-68062
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through <= 3.9.6.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68062
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through <= 3.9.6.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68065 - WordPress Hub Core plugin <= 5.0.8 - Local File Inclusion vulnerability
CVE ID : CVE-2025-68065
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68065
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68066 - WordPress Soledad theme <= 8.7.0 - Local File Inclusion vulnerability
CVE ID : CVE-2025-68066
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad soledad allows PHP Local File Inclusion.This issue affects Soledad: from n/a through <= 8.7.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68066
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad soledad allows PHP Local File Inclusion.This issue affects Soledad: from n/a through <= 8.7.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68067 - WordPress Stockholm Core plugin <= 2.4.6 - Local File Inclusion vulnerability
CVE ID : CVE-2025-68067
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm Core stockholm-core allows PHP Local File Inclusion.This issue affects Stockholm Core: from n/a through <= 2.4.6.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68067
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm Core stockholm-core allows PHP Local File Inclusion.This issue affects Stockholm Core: from n/a through <= 2.4.6.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68068 - WordPress Stockholm theme <= 9.14.1 - Local File Inclusion vulnerability
CVE ID : CVE-2025-68068
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through <= 9.14.1.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68068
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through <= 9.14.1.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68070 - WordPress VK Google Job Posting Manager plugin <= 1.2.21 - Cross Site Scripting (XSS) vulnerability
CVE ID : CVE-2025-68070
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vektor,Inc. VK Google Job Posting Manager vk-google-job-posting-manager allows Stored XSS.This issue affects VK Google Job Posting Manager: from n/a through <= 1.2.21.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68070
Published : Dec. 16, 2025, 9:16 a.m. | 2 hours, 38 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vektor,Inc. VK Google Job Posting Manager vk-google-job-posting-manager allows Stored XSS.This issue affects VK Google Job Posting Manager: from n/a through <= 1.2.21.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...