CVE-2025-14455 - Image Photo Gallery Final Tiles Grid <= 3.6.7 - Missing Authorization to Authenticated (Contributor+) Gallery Management
CVE ID : CVE-2025-14455
Published : Dec. 19, 2025, 9:29 a.m. | 51 minutes ago
Description : The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.7. This is due to the plugin not properly verifying that a user is authorized to perform actions on gallery management functions. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete, modify, or clone galleries created by any user, including administrators.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14455
Published : Dec. 19, 2025, 9:29 a.m. | 51 minutes ago
Description : The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.7. This is due to the plugin not properly verifying that a user is authorized to perform actions on gallery management functions. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete, modify, or clone galleries created by any user, including administrators.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14847 - Zlib compressed protocol header length confusion may allow memory read
CVE ID : CVE-2025-14847
Published : Dec. 19, 2025, 11:15 a.m. | 3 hours, 7 minutes ago
Description : Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14847
Published : Dec. 19, 2025, 11:15 a.m. | 3 hours, 7 minutes ago
Description : Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-1885 - Open Redirect in Restajet's Online Food Delivery System
CVE ID : CVE-2025-1885
Published : Dec. 19, 2025, 12:15 p.m. | 2 hours, 7 minutes ago
Description : URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Phishing, Forceful Browsing.This issue affects Online Food Delivery System: through 19122025.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1885
Published : Dec. 19, 2025, 12:15 p.m. | 2 hours, 7 minutes ago
Description : URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Phishing, Forceful Browsing.This issue affects Online Food Delivery System: through 19122025.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-1927 - CSRF in Restajet's Online Food Delivery System
CVE ID : CVE-2025-1927
Published : Dec. 19, 2025, 12:15 p.m. | 2 hours, 7 minutes ago
Description : Cross-Site Request Forgery (CSRF) vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Cross Site Request Forgery.This issue affects Online Food Delivery System: through 19122025.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1927
Published : Dec. 19, 2025, 12:15 p.m. | 2 hours, 7 minutes ago
Description : Cross-Site Request Forgery (CSRF) vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Cross Site Request Forgery.This issue affects Online Food Delivery System: through 19122025.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14881 - Insecure direct object reference
CVE ID : CVE-2025-14881
Published : Dec. 19, 2025, 1:16 p.m. | 1 hour, 6 minutes ago
Description : Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
Severity: 3.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14881
Published : Dec. 19, 2025, 1:16 p.m. | 1 hour, 6 minutes ago
Description : Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
Severity: 3.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14882 - Insecure direct object reference
CVE ID : CVE-2025-14882
Published : Dec. 19, 2025, 1:16 p.m. | 1 hour, 6 minutes ago
Description : An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
Severity: 3.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14882
Published : Dec. 19, 2025, 1:16 p.m. | 1 hour, 6 minutes ago
Description : An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
Severity: 3.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14946 - Libnbd: libnbd: arbitrary code execution via ssh argument injection through a malicious uri
CVE ID : CVE-2025-14946
Published : Dec. 19, 2025, 1:16 p.m. | 1 hour, 6 minutes ago
Description : A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14946
Published : Dec. 19, 2025, 1:16 p.m. | 1 hour, 6 minutes ago
Description : A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-1928 - Improper Authentication in Restajet's Online Food Delivery System
CVE ID : CVE-2025-1928
Published : Dec. 19, 2025, 1:16 p.m. | 1 hour, 6 minutes ago
Description : Improper Restriction of Excessive Authentication Attempts vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Password Recovery Exploitation.This issue affects Online Food Delivery System: through 19122025.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1928
Published : Dec. 19, 2025, 1:16 p.m. | 1 hour, 6 minutes ago
Description : Improper Restriction of Excessive Authentication Attempts vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Password Recovery Exploitation.This issue affects Online Food Delivery System: through 19122025.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14950 - code-projects Scholars Tracking System delete_post.php sql injection
CVE ID : CVE-2025-14950
Published : Dec. 19, 2025, 1:32 p.m. | 50 minutes ago
Description : A weakness has been identified in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /delete_post.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14950
Published : Dec. 19, 2025, 1:32 p.m. | 50 minutes ago
Description : A weakness has been identified in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /delete_post.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-67044 - Apache HTTP Server Remote Code Execution Vulnerability
CVE ID : CVE-2025-67044
Published : Dec. 19, 2025, 4:15 p.m. | 2 hours, 8 minutes ago
Description : Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-67035. Reason: This record is a reservation duplicate of CVE-2025-67035. Notes: All CVE users should reference CVE-2025-67035 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-67044
Published : Dec. 19, 2025, 4:15 p.m. | 2 hours, 8 minutes ago
Description : Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-67035. Reason: This record is a reservation duplicate of CVE-2025-67035. Notes: All CVE users should reference CVE-2025-67035 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-67045 - Apache HTTP Server Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-67045
Published : Dec. 19, 2025, 4:15 p.m. | 2 hours, 8 minutes ago
Description : Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-67041. Reason: This record is a reservation duplicate of CVE-2025-67041. Notes: All CVE users should reference CVE-2025-67041 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-67045
Published : Dec. 19, 2025, 4:15 p.m. | 2 hours, 8 minutes ago
Description : Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-67041. Reason: This record is a reservation duplicate of CVE-2025-67041. Notes: All CVE users should reference CVE-2025-67041 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-67046 - Adobe Flash Unvalidated Redirects
CVE ID : CVE-2025-67046
Published : Dec. 19, 2025, 4:15 p.m. | 2 hours, 8 minutes ago
Description : Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-67037. Reason: This record is a reservation duplicate of CVE-2025-67037. Notes: All CVE users should reference CVE-2025-67037 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-67046
Published : Dec. 19, 2025, 4:15 p.m. | 2 hours, 8 minutes ago
Description : Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-67037. Reason: This record is a reservation duplicate of CVE-2025-67037. Notes: All CVE users should reference CVE-2025-67037 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-67047 - Apache OpenSSH Remote Code Execution Vulnerability
CVE ID : CVE-2025-67047
Published : Dec. 19, 2025, 4:15 p.m. | 2 hours, 8 minutes ago
Description : Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-67036. Reason: This record is a reservation duplicate of CVE-2025-67036. Notes: All CVE users should reference CVE-2025-67036 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-67047
Published : Dec. 19, 2025, 4:15 p.m. | 2 hours, 8 minutes ago
Description : Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-67036. Reason: This record is a reservation duplicate of CVE-2025-67036. Notes: All CVE users should reference CVE-2025-67036 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-67048 - Apache HTTP Server Remote Code Execution Vulnerability
CVE ID : CVE-2025-67048
Published : Dec. 19, 2025, 4:15 p.m. | 2 hours, 8 minutes ago
Description : Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-67039. Reason: This record is a reservation duplicate of CVE-2025-67039. Notes: All CVE users should reference CVE-2025-67039 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-67048
Published : Dec. 19, 2025, 4:15 p.m. | 2 hours, 8 minutes ago
Description : Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2025-67039. Reason: This record is a reservation duplicate of CVE-2025-67039. Notes: All CVE users should reference CVE-2025-67039 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-67442 - EVE-NG Directory Traversal Vulnerability
CVE ID : CVE-2025-67442
Published : Dec. 19, 2025, 4:15 p.m. | 2 hours, 8 minutes ago
Description : EVE-NG 6.4.0-13-PRO is vulnerable to Directory Traversal. The /api/export interface allows authenticated users to export lab files. This interface lacks effective input validation and filtering when processing file path parameters submitted by users.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-67442
Published : Dec. 19, 2025, 4:15 p.m. | 2 hours, 8 minutes ago
Description : EVE-NG 6.4.0-13-PRO is vulnerable to Directory Traversal. The /api/export interface allows authenticated users to export lab files. This interface lacks effective input validation and filtering when processing file path parameters submitted by users.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68478 - Langflow Vulnerable to External Control of File Name or Path
CVE ID : CVE-2025-68478
Published : Dec. 19, 2025, 5:10 p.m. | 1 hour, 14 minutes ago
Description : Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68478
Published : Dec. 19, 2025, 5:10 p.m. | 1 hour, 14 minutes ago
Description : Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68430 - CVAT vulnerable to directory traversal via mounted share listing
CVE ID : CVE-2025-68430
Published : Dec. 19, 2025, 5:11 p.m. | 1 hour, 13 minutes ago
Description : CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.8.1 through 2.52.0, an attacker with an account on a CVAT instance is able to retrieve the contents of any file system directory accessible to the CVAT server. The exposed information is names of contained files and subdirectories. The contents of files are not accessible. Version 2.53.0 contains a patch. No known workarounds are available.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68430
Published : Dec. 19, 2025, 5:11 p.m. | 1 hour, 13 minutes ago
Description : CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.8.1 through 2.52.0, an attacker with an account on a CVAT instance is able to retrieve the contents of any file system directory accessible to the CVAT server. The exposed information is names of contained files and subdirectories. The contents of files are not accessible. Version 2.53.0 contains a patch. No known workarounds are available.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2023-30971 - Gaia unauthenticated endpoints
CVE ID : CVE-2023-30971
Published : Dec. 19, 2025, 5:15 p.m. | 1 hour, 9 minutes ago
Description : Gotham Gaia application was found to be exposing multiple unauthenticated endpoints.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2023-30971
Published : Dec. 19, 2025, 5:15 p.m. | 1 hour, 9 minutes ago
Description : Gotham Gaia application was found to be exposing multiple unauthenticated endpoints.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-49587 - Glutton V1 endpoints missing authentication
CVE ID : CVE-2024-49587
Published : Dec. 19, 2025, 5:15 p.m. | 1 hour, 8 minutes ago
Description : Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and automatically deployed to all Apollo-managed Gotham Instances
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-49587
Published : Dec. 19, 2025, 5:15 p.m. | 1 hour, 8 minutes ago
Description : Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and automatically deployed to all Apollo-managed Gotham Instances
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14809 - Address bar spoofing risk in ArcSearch on Android
CVE ID : CVE-2025-14809
Published : Dec. 19, 2025, 5:15 p.m. | 1 hour, 8 minutes ago
Description : ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.
Severity: 7.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14809
Published : Dec. 19, 2025, 5:15 p.m. | 1 hour, 8 minutes ago
Description : ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.
Severity: 7.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14812 - Address bar spoofing risk in Arc Search on iOS
CVE ID : CVE-2025-14812
Published : Dec. 19, 2025, 5:15 p.m. | 1 hour, 8 minutes ago
Description : ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14812
Published : Dec. 19, 2025, 5:15 p.m. | 1 hour, 8 minutes ago
Description : ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...