🚨 CVE-2025-9375
XML Injection vulnerability in xmltodict allows Input Data Manipulation.This issue affects xmltodict: 0.14.2.

🎖@cveNotify

🚨 CVE-2025-7445
Kubernetes secrets-store-sync-controller in versions before 0.0.2 discloses service account tokens in logs.

🎖@cveNotify

🚨 CVE-2025-9990
The WordPress Helpdesk Integration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.8.10 via the portal_type parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

🎖@cveNotify

🚨 CVE-2025-8684
The Flatsome Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.20.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

🎖@cveNotify

🚨 CVE-2025-58401
Obsidian GitHub Copilot Plugin versions prior to 1.1.7 store Github API token in cleartext form. As a result, an attacker may perform unauthorized operations on the linked Github account.

🎖@cveNotify

🚨 CVE-2025-41408
Improper authorization in handler for custom URL scheme issue in "Yahoo! Shopping" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack.

🎖@cveNotify

🚨 CVE-2025-55037
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote unauthenticated attacker if the settings are configured to construct messages from external sources.

🎖@cveNotify

🚨 CVE-2025-55671
Uncontrolled search path element issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, arbitrary code may be executed with the privilege of running the program.

🎖@cveNotify

🚨 CVE-2025-58400
RATOC RAID Monitoring Manager for Windows provided by RATOC Systems, Inc. registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.

🎖@cveNotify

🚨 CVE-2025-8944
The OceanWP WordPress theme before 4.1.2 is vulnerable to an option update due to a missing capability check on one of its AJAX request handler, allowing any authenticated users, such as subscriber to update the darkMod` setting.

🎖@cveNotify

🚨 CVE-2024-7697
Logical vulnerability in the mobile application (com.transsion.carlcare) may lead to user information leakage risks.

🎖@cveNotify

🚨 CVE-2024-11206
Unauthorized access vulnerability in the mobile application (com.transsion.phoenix) can lead to the leakage of user information.

🎖@cveNotify

🚨 CVE-2024-12603
A logic vulnerability in the the mobile application (com.transsion.applock) can lead to bypassing the application password.

🎖@cveNotify

🚨 CVE-2025-1298
Logic vulnerability in the mobile application (com.transsion.carlcare) may lead to the risk of account takeover.

🎖@cveNotify

🚨 CVE-2025-2190
The mobile application (com.transsnet.store) has a man-in-the-middle attack vulnerability, which may lead to code injection risks.

🎖@cveNotify

🚨 CVE-2025-3698
Interface exposure vulnerability in the mobile application (com.transsion.carlcare) may lead to information leakage risk.

🎖@cveNotify

🚨 CVE-2025-48395
An attacker with authenticated and privileged access could modify the contents of a non-sensitive file by traversing the path in the limited shell of the CLI. This security issue has been fixed in the latest version of NMC G2 which is available on the Eaton download center.

🎖@cveNotify

🚨 CVE-2024-6504
Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261.

🎖@cveNotify

🚨 CVE-2024-23454
Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content.
This is because, on unix-like systems, the system temporary directory is
shared between all local users. As such, files written in this directory,
without setting the correct posix permissions explicitly, may be viewable
by all other local users.

🎖@cveNotify

🚨 CVE-2024-52544
An unauthenticated attacker can trigger a stack based buffer overflow in the DP Service (TCP port 3500). This vulnerability has been resolved in firmware version 2.800.0000000.8.R.20241111.

🎖@cveNotify

🚨 CVE-2024-52547
An authenticated attacker can trigger a stack based buffer overflow in the DHIP Service (TCP port 80). This vulnerability has been resolved in firmware version 2.800.0000000.8.R.20241111.

🎖@cveNotify