🚨 CVE-2017-1000226
Stop User Enumeration 1.3.8 allows user enumeration via the REST API

🎖@cveNotify

🚨 CVE-2017-18536
The stop-user-enumeration plugin before 1.3.8 for WordPress has XSS.

🎖@cveNotify

🚨 CVE-2020-25760
Projectworlds Visitor Management System in PHP 1.0 allows SQL Injection. The file front.php does not perform input validation on the 'rid' parameter. An attacker can append SQL queries to the input to extract sensitive information from the database.

🎖@cveNotify

🚨 CVE-2020-25761
Projectworlds Visitor Management System in PHP 1.0 allows XSS. The file myform.php does not perform input validation on the request parameters. An attacker can inject javascript payloads in the parameters to perform various attacks such as stealing of cookies,sensitive information etc.

🎖@cveNotify

🚨 CVE-2021-24767
The Redirect 404 Error Page to Homepage or Custom Page with Logs WordPress plugin before 1.7.9 does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete them via a CSRF attack

🎖@cveNotify

🚨 CVE-2022-1952
The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.

🎖@cveNotify

🚨 CVE-2024-39563
A Command Injection vulnerability in Juniper Networks Junos Space allows an unauthenticated, network-based attacker sending a specially crafted request to execute arbitrary shell commands on the Junos Space Appliance, leading to remote command execution by the web application, gaining complete control of the device.

A specific script in the Junos Space web application allows attacker-controlled input from a GET request without sufficient input sanitization. A specially crafted request can exploit this vulnerability to execute arbitrary shell commands on the Junos Space Appliance.

This issue affects Junos Space 24.1R1. Previous versions of Junos Space are unaffected by this vulnerability.

🎖@cveNotify

🚨 CVE-2024-7930
A vulnerability has been found in SourceCodester Clinics Patient Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /pms/ajax/get_packings.php. The manipulation of the argument medicine_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

🎖@cveNotify

🚨 CVE-2023-47762
Missing Authorization vulnerability in WPDeveloper BetterDocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BetterDocs: from n/a through 2.5.2.

🎖@cveNotify

🚨 CVE-2024-54223
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Contact Form - Repute InfoSystems ARForms Form Builder allows Code Injection.This issue affects ARForms Form Builder: from n/a through 1.7.1.

🎖@cveNotify

🚨 CVE-2025-2912
A vulnerability was found in HDF5 up to 1.14.6. It has been declared as problematic. Affected by this vulnerability is the function H5O_msg_flush of the file src/H5Omessage.c. The manipulation of the argument oh leads to heap-based buffer overflow. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.

🎖@cveNotify

🚨 CVE-2025-2913
A vulnerability was found in HDF5 up to 1.14.6. It has been rated as critical. Affected by this issue is the function H5FL__blk_gc_list of the file src/H5FL.c. The manipulation of the argument H5FL_blk_head_t leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

🎖@cveNotify

🚨 CVE-2025-30880
Missing Authorization vulnerability in JoomSky JS Help Desk allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JS Help Desk: from n/a through 2.9.2.

🎖@cveNotify

🚨 CVE-2025-30023
The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack.

🎖@cveNotify

🚨 CVE-2025-30024
The communication protocol used between client
and server had a flaw that could be leveraged to execute a man in the middle attack.

🎖@cveNotify

🚨 CVE-2025-56005
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk.

🎖@cveNotify

🚨 CVE-2025-0105
An arbitrary file deletion vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to delete arbitrary files accessible to the www-data user on the host filesystem.

🎖@cveNotify

🚨 CVE-2025-0106
A wildcard expansion vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to enumerate files on the host filesystem.

🎖@cveNotify

🚨 CVE-2025-0107
An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software.

🎖@cveNotify

🚨 CVE-2025-30025
The communication protocol used between the
server process and the service control had a flaw that could lead to a local privilege escalation.

🎖@cveNotify

🚨 CVE-2012-5644
libuser has information disclosure when moving user's home directory

🎖@cveNotify