CVE News Feed

• CVE-2025-1030 - Sensitive Data Exposure in Utarit Informatics' SoliClub

  CVE ID :CVE-2025-1030
  Published : Dec. 18, 2025, 2:22 p.m. | 12 minutes ago
  Description :Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Utarit Informatics Services Inc. SoliClub allows Query System for Information.This issue affects SoliClub: from 5.2.4 before 5.3.7.
  Severity: 7.5 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-64461 - Out of Bounds Write in mgocre_SH_25_3!RevBL() in NI LabVIEW

  CVE ID :CVE-2025-64461
  Published : Dec. 18, 2025, 2:21 p.m. | 14 minutes ago
  Description :There is an out of bounds write vulnerability in NI LabVIEW in mgocre_SH_25_3!RevBL() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions.
  Severity: 8.5 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-14861 - Memory safety bugs fixed in Firefox 146.0.1

  CVE ID :CVE-2025-14861
  Published : Dec. 18, 2025, 2:21 p.m. | 14 minutes ago
  Description :Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox 146.0.1.
  Severity: 0.0 | NA
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-14860 - Use-after-free in the Disability Access APIs component

  CVE ID :CVE-2025-14860
  Published : Dec. 18, 2025, 2:21 p.m. | 14 minutes ago
  Description :Use-after-free in the Disability Access APIs component. This vulnerability affects Firefox 146.0.1.
  Severity: 0.0 | NA
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-14744 - Filename spoofing via Unicode Right-to-Left Override in Firefox for iOS

  CVE ID :CVE-2025-14744
  Published : Dec. 18, 2025, 2:21 p.m. | 14 minutes ago
  Description :Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS 144.0.
  Severity: 0.0 | NA
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-1029 - Hardcoded Credentials in Utarit Informatics' SoliClub

  CVE ID :CVE-2025-1029
  Published : Dec. 18, 2025, 2:16 p.m. | 19 minutes ago
  Description :Use of Hard-coded Credentials vulnerability in Utarit Information Services Inc. SoliClub allows Read Sensitive Constants Within an Executable.This issue affects SoliClub: from 5.2.4 before 5.3.7.
  Severity: 7.5 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-65000 - Exposure of SSH Private Keys in Remote Alert Handlers (Linux) Rule

  CVE ID :CVE-2025-65000
  Published : Dec. 18, 2025, 2:15 p.m. | 19 minutes ago
  Description :SSH private keys of the "Remote alert handlers (Linux)" rule were exposed in the rule page's HTML source in Checkmk = 2.4.0p18 and all versions of Checkmk 2.3.0. This potentially allowed unauthorized triggering of predefined alert andlers on hosts where the handler was deployed.
  Severity: 2.3 | LOW
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-40898 - Path traversal in Import Arc data archive functionality in Guardian/CMC before 25.5.0

  CVE ID :CVE-2025-40898
  Published : Dec. 18, 2025, 2:15 p.m. | 19 minutes ago
  Description :A path traversal vulnerability was discovered in the Import Arc data archive functionality due to insufficient validation of the input file. An authenticated user with limited privileges, by uploading a specifically-crafted Arc data archive, can potentially write arbitrary files in arbitrary paths, altering the device configuration and/or affecting its availability.
  Severity: 8.1 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-40893 - HTML injection in Asset List in Guardian/CMC before 25.5.0

  CVE ID :CVE-2025-40893
  Published : Dec. 18, 2025, 2:15 p.m. | 19 minutes ago
  Description :A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affected assets in the Asset List (and similar functions), the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
  Severity: 6.1 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-40892 - Stored Cross-Site Scripting (XSS) in Reports in Guardian/CMC before 25.5.0

  CVE ID :CVE-2025-40892
  Published : Dec. 18, 2025, 2:15 p.m. | 19 minutes ago
  Description :A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.
  Severity: 8.9 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-40891 - HTML injection in in Time Machine functionality in Guardian/CMC before 25.5.0

  CVE ID :CVE-2025-40891
  Published : Dec. 18, 2025, 2:15 p.m. | 19 minutes ago
  Description :A Stored HTML Injection vulnerability was discovered in the Time Machine Snapshot Diff functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets at two different times to inject HTML tags into asset attributes across two snapshots. Exploitation requires a victim to use the Time Machine Snapshot Diff feature on those specific snapshots and perform specific GUI actions, at which point the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is prevented by input validation and Content Security Policy. Attack complexity is high due to multiple required conditions.
  Severity: 4.7 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-9787 - Stored XSS

  CVE ID :CVE-2025-9787
  Published : Dec. 18, 2025, 2:14 p.m. | 20 minutes ago
  Description :Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view.
  Severity: 6.1 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-14618 - Sweet Energy Efficiency ticated (Subscriber+) Arbitrary Graph Deletion

  CVE ID :CVE-2025-14618
  Published : Dec. 18, 2025, 1:15 p.m. | 1 hour, 19 minutes ago
  Description :The Sweet Energy Efficiency plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on the 'sweet_energy_efficiency_action' AJAX handler in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with subscriber level access and above, to read, modify, and delete arbitrary graphs.
  Severity: 4.3 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-14437 - Hummingbird nsitive Information Exposure via Log File

  CVE ID :CVE-2025-14437
  Published : Dec. 18, 2025, 1:15 p.m. | 1 hour, 19 minutes ago
  Description :The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials.
  Severity: 7.5 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-14277 - Prime Slider – Addons for Elementor st Forgery

  CVE ID :CVE-2025-14277
  Published : Dec. 18, 2025, 1:15 p.m. | 1 hour, 19 minutes ago
  Description :The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.9 via the import_elementor_template AJAX action. This makes it possible for authenticated attackers, with subscriber level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
  Severity: 4.3 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-13110 - HUSKY – Products Filter Professional for WooCommerce via 'woof_add_subscr'

  CVE ID :CVE-2025-13110
  Published : Dec. 18, 2025, 1:15 p.m. | 1 hour, 19 minutes ago
  Description :The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof_add_subscr" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators.
  Severity: 4.3 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-10910 - Gaining remote control over Govee devices

  CVE ID :CVE-2025-10910
  Published : Dec. 18, 2025, 12:16 p.m. | 2 hours, 19 minutes ago
  Description :A flaw in the binding process of Govee’s cloud platform and devices allows a remote attacker to bind an existing, online Govee device to the attacker’s account, resulting in full control of the device and removal of the device from its legitimate owner’s account. The server‑side API allows device association using a set of identifiers: "device", "sku", "type", and a client‑computed "value", that are not cryptographically bound to a secret originating from the device itself. The vulnerability has been verified for the Govee H6056 - lamp device in firmware version 1.08.13, but may affect also other Govee cloud‑connected devices. The vendor is not able to provide a list of affected products, but rolls out a firmware and server-side fixes. Devices that reached end‑of‑life for security support need replacement with newer models supporting updates.
  Severity: 9.3 | CRITICAL
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-40602 - SonicWall SMA1000 Missing Authorization Vulnerability - [Actively Exploited]

  CVE ID :CVE-2025-40602
  Published : Dec. 18, 2025, 11:15 a.m. | 3 hours, 19 minutes ago
  Description :A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
  Severity: 6.6 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-64997 - Insufficient permission validation when showing agent information

  CVE ID :CVE-2025-64997
  Published : Dec. 18, 2025, 10:16 a.m. | 4 hours, 19 minutes ago
  Description :Insufficient permission validation in Checkmk versions prior to 2.4.0p17 and 2.3.0p42 allow low-privileged users to view agent information via the REST API, which could lead to information disclosure.
  Severity: 6.3 | MEDIUM
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...

• CVE-2025-14364 - Demo Importer Plus uthenticated (Subscriber+) Site Reset and Privilege Escalation

  CVE ID :CVE-2025-14364
  Published : Dec. 18, 2025, 10:16 a.m. | 4 hours, 19 minutes ago
  Description :The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full site reset, dropping all database tables except users/usermeta and re-running wp_install(), which also assigns the Administrator role to the attacking subscriber account.
  Severity: 8.8 | HIGH
  Visit the link for more details, such as CVSS details, affected products, timeline, and more...