CVE-2025-14937 - Frontend Admin by DynamiApps <= 3.28.23 - Unauthenticated Stored Cross-Site Scripting via 'update_field'
CVE ID : CVE-2025-14937
Published : Jan. 9, 2026, 8:15 a.m. | 2 hours, 10 minutes ago
Description : The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14937
Published : Jan. 9, 2026, 8:15 a.m. | 2 hours, 10 minutes ago
Description : The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-69194 - Wget2: arbitrary file write via metalink path traversal in gnu wget2
CVE ID : CVE-2025-69194
Published : Jan. 9, 2026, 8:15 a.m. | 2 hours, 10 minutes ago
Description : A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user’s environment.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-69194
Published : Jan. 9, 2026, 8:15 a.m. | 2 hours, 10 minutes ago
Description : A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user’s environment.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-69195 - Wget2: gnu wget2: memory corruption and crash via filename sanitization logic with attacker-controlled urls
CVE ID : CVE-2025-69195
Published : Jan. 9, 2026, 8:15 a.m. | 2 hours, 10 minutes ago
Description : A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-69195
Published : Jan. 9, 2026, 8:15 a.m. | 2 hours, 10 minutes ago
Description : A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21409 - RICOH Streamline NX Authorization Bypass
CVE ID : CVE-2026-21409
Published : Jan. 9, 2026, 8:15 a.m. | 2 hours, 10 minutes ago
Description : Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's registration information and/or OIDC (OpenID Connect) tokens may be retrieved.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21409
Published : Jan. 9, 2026, 8:15 a.m. | 2 hours, 10 minutes ago
Description : Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's registration information and/or OIDC (OpenID Connect) tokens may be retrieved.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-0627 - AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload
CVE ID : CVE-2026-0627
Published : Jan. 9, 2026, 9:15 a.m. | 1 hour, 10 minutes ago
Description : The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `
CVE ID : CVE-2026-0627
Published : Jan. 9, 2026, 9:15 a.m. | 1 hour, 10 minutes ago
Description : The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `
CVE-2025-13729 - Entry Views <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID : CVE-2025-13729
Published : Jan. 9, 2026, 9:19 a.m. | 1 hour, 6 minutes ago
Description : The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13729
Published : Jan. 9, 2026, 9:19 a.m. | 1 hour, 6 minutes ago
Description : The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13853 - Nearby Now Reviews <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVE ID : CVE-2025-13853
Published : Jan. 9, 2026, 9:19 a.m. | 1 hour, 6 minutes ago
Description : The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13853
Published : Jan. 9, 2026, 9:19 a.m. | 1 hour, 6 minutes ago
Description : The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13900 - WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute
CVE ID : CVE-2025-13900
Published : Jan. 9, 2026, 9:19 a.m. | 1 hour, 6 minutes ago
Description : The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13900
Published : Jan. 9, 2026, 9:19 a.m. | 1 hour, 6 minutes ago
Description : The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13895 - Top Position Google Finance <= 0.1.0 - Reflected Cross-Site Scripting
CVE ID : CVE-2025-13895
Published : Jan. 9, 2026, 9:19 a.m. | 1 hour, 6 minutes ago
Description : The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13895
Published : Jan. 9, 2026, 9:19 a.m. | 1 hour, 6 minutes ago
Description : The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64090 - Authenticated Remote Code Execution in device hostname
CVE ID : CVE-2025-64090
Published : Jan. 9, 2026, 9:59 a.m. | 26 minutes ago
Description : This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64090
Published : Jan. 9, 2026, 9:59 a.m. | 26 minutes ago
Description : This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64091 - Authenticated Remote Code Execution in the NTP-configuration
CVE ID : CVE-2025-64091
Published : Jan. 9, 2026, 10 a.m. | 25 minutes ago
Description : This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64091
Published : Jan. 9, 2026, 10 a.m. | 25 minutes ago
Description : This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64092 - Unauthenticated SQL injection via GET request parameters
CVE ID : CVE-2025-64092
Published : Jan. 9, 2026, 10:03 a.m. | 22 minutes ago
Description : This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64092
Published : Jan. 9, 2026, 10:03 a.m. | 22 minutes ago
Description : This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13781 - Missing Authorization in GitLab
CVE ID : CVE-2025-13781
Published : Jan. 9, 2026, 10:03 a.m. | 22 minutes ago
Description : GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13781
Published : Jan. 9, 2026, 10:03 a.m. | 22 minutes ago
Description : GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13761 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
CVE ID : CVE-2025-13761
Published : Jan. 9, 2026, 10:04 a.m. | 22 minutes ago
Description : GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13761
Published : Jan. 9, 2026, 10:04 a.m. | 22 minutes ago
Description : GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13772 - Missing Authorization in GitLab
CVE ID : CVE-2025-13772
Published : Jan. 9, 2026, 10:04 a.m. | 22 minutes ago
Description : GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13772
Published : Jan. 9, 2026, 10:04 a.m. | 22 minutes ago
Description : GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11246 - Insufficient Granularity of Access Control in GitLab
CVE ID : CVE-2025-11246
Published : Jan. 9, 2026, 10:04 a.m. | 21 minutes ago
Description : GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11246
Published : Jan. 9, 2026, 10:04 a.m. | 21 minutes ago
Description : GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-10569 - Allocation of Resources Without Limits or Throttling in GitLab
CVE ID : CVE-2025-10569
Published : Jan. 9, 2026, 10:04 a.m. | 21 minutes ago
Description : GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-10569
Published : Jan. 9, 2026, 10:04 a.m. | 21 minutes ago
Description : GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-9222 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
CVE ID : CVE-2025-9222
Published : Jan. 9, 2026, 10:04 a.m. | 21 minutes ago
Description : GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-9222
Published : Jan. 9, 2026, 10:04 a.m. | 21 minutes ago
Description : GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3950 - Exposure of Private Personal Information to an Unauthorized Actor in GitLab
CVE ID : CVE-2025-3950
Published : Jan. 9, 2026, 10:04 a.m. | 21 minutes ago
Description : GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3950
Published : Jan. 9, 2026, 10:04 a.m. | 21 minutes ago
Description : GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64093 - Unauthenticated Remote Code Execution via the device hostname
CVE ID : CVE-2025-64093
Published : Jan. 9, 2026, 10:04 a.m. | 21 minutes ago
Description : Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64093
Published : Jan. 9, 2026, 10:04 a.m. | 21 minutes ago
Description : Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22079 - Cleartext Transmission Vulnerability in Tenda Wireless Routers
CVE ID : CVE-2026-22079
Published : Jan. 9, 2026, 11:15 a.m. | 3 hours, 12 minutes ago
Description : This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the credentials transmitted in plaintext. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22079
Published : Jan. 9, 2026, 11:15 a.m. | 3 hours, 12 minutes ago
Description : This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the credentials transmitted in plaintext. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...