CVE Feeds

CVE News Feed

Updates on the latest vulnerabilities detected.
  • CVE ID :CVE-2025-1030
    Published : Dec. 18, 2025, 2:22 p.m. | 12 minutes ago
    Description :Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Utarit Informatics Services Inc. SoliClub allows Query System for Information.This issue affects SoliClub: from 5.2.4 before 5.3.7.
    Severity: 7.5 | HIGH
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-64461
    Published : Dec. 18, 2025, 2:21 p.m. | 14 minutes ago
    Description :There is an out of bounds write vulnerability in NI LabVIEW in mgocre_SH_25_3!RevBL() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions.
    Severity: 8.5 | HIGH
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-14861
    Published : Dec. 18, 2025, 2:21 p.m. | 14 minutes ago
    Description :Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox 146.0.1.
    Severity: 0.0 | NA
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-14860
    Published : Dec. 18, 2025, 2:21 p.m. | 14 minutes ago
    Description :Use-after-free in the Disability Access APIs component. This vulnerability affects Firefox 146.0.1.
    Severity: 0.0 | NA
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-14744
    Published : Dec. 18, 2025, 2:21 p.m. | 14 minutes ago
    Description :Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS 144.0.
    Severity: 0.0 | NA
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-1029
    Published : Dec. 18, 2025, 2:16 p.m. | 19 minutes ago
    Description :Use of Hard-coded Credentials vulnerability in Utarit Information Services Inc. SoliClub allows Read Sensitive Constants Within an Executable.This issue affects SoliClub: from 5.2.4 before 5.3.7.
    Severity: 7.5 | HIGH
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-65000
    Published : Dec. 18, 2025, 2:15 p.m. | 19 minutes ago
    Description :SSH private keys of the "Remote alert handlers (Linux)" rule were exposed in the rule page's HTML source in Checkmk = 2.4.0p18 and all versions of Checkmk 2.3.0. This potentially allowed unauthorized triggering of predefined alert andlers on hosts where the handler was deployed.
    Severity: 2.3 | LOW
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-40898
    Published : Dec. 18, 2025, 2:15 p.m. | 19 minutes ago
    Description :A path traversal vulnerability was discovered in the Import Arc data archive functionality due to insufficient validation of the input file. An authenticated user with limited privileges, by uploading a specifically-crafted Arc data archive, can potentially write arbitrary files in arbitrary paths, altering the device configuration and/or affecting its availability.
    Severity: 8.1 | HIGH
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-40893
    Published : Dec. 18, 2025, 2:15 p.m. | 19 minutes ago
    Description :A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affected assets in the Asset List (and similar functions), the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
    Severity: 6.1 | MEDIUM
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-40892
    Published : Dec. 18, 2025, 2:15 p.m. | 19 minutes ago
    Description :A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information.
    Severity: 8.9 | HIGH
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-40891
    Published : Dec. 18, 2025, 2:15 p.m. | 19 minutes ago
    Description :A Stored HTML Injection vulnerability was discovered in the Time Machine Snapshot Diff functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets at two different times to inject HTML tags into asset attributes across two snapshots. Exploitation requires a victim to use the Time Machine Snapshot Diff feature on those specific snapshots and perform specific GUI actions, at which point the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is prevented by input validation and Content Security Policy. Attack complexity is high due to multiple required conditions.
    Severity: 4.7 | MEDIUM
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-9787
    Published : Dec. 18, 2025, 2:14 p.m. | 20 minutes ago
    Description :Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view.
    Severity: 6.1 | MEDIUM
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-14618
    Published : Dec. 18, 2025, 1:15 p.m. | 1 hour, 19 minutes ago
    Description :The Sweet Energy Efficiency plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on the 'sweet_energy_efficiency_action' AJAX handler in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with subscriber level access and above, to read, modify, and delete arbitrary graphs.
    Severity: 4.3 | MEDIUM
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-14437
    Published : Dec. 18, 2025, 1:15 p.m. | 1 hour, 19 minutes ago
    Description :The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials.
    Severity: 7.5 | HIGH
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-14277
    Published : Dec. 18, 2025, 1:15 p.m. | 1 hour, 19 minutes ago
    Description :The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.9 via the import_elementor_template AJAX action. This makes it possible for authenticated attackers, with subscriber level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
    Severity: 4.3 | MEDIUM
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-13110
    Published : Dec. 18, 2025, 1:15 p.m. | 1 hour, 19 minutes ago
    Description :The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof_add_subscr" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators.
    Severity: 4.3 | MEDIUM
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-10910
    Published : Dec. 18, 2025, 12:16 p.m. | 2 hours, 19 minutes ago
    Description :A flaw in the binding process of Govee’s cloud platform and devices allows a remote attacker to bind an existing, online Govee device to the attacker’s account, resulting in full control of the device and removal of the device from its legitimate owner’s account. The server‑side API allows device association using a set of identifiers: "device", "sku", "type", and a client‑computed "value", that are not cryptographically bound to a secret originating from the device itself. The vulnerability has been verified for the Govee H6056 - lamp device in firmware version 1.08.13, but may affect also other Govee cloud‑connected devices. The vendor is not able to provide a list of affected products, but rolls out a firmware and server-side fixes. Devices that reached end‑of‑life for security support need replacement with newer models supporting updates.
    Severity: 9.3 | CRITICAL
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-40602
    Published : Dec. 18, 2025, 11:15 a.m. | 3 hours, 19 minutes ago
    Description :A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
    Severity: 6.6 | MEDIUM
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-64997
    Published : Dec. 18, 2025, 10:16 a.m. | 4 hours, 19 minutes ago
    Description :Insufficient permission validation in Checkmk versions prior to 2.4.0p17 and 2.3.0p42 allow low-privileged users to view agent information via the REST API, which could lead to information disclosure.
    Severity: 6.3 | MEDIUM
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...
  • CVE ID :CVE-2025-14364
    Published : Dec. 18, 2025, 10:16 a.m. | 4 hours, 19 minutes ago
    Description :The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full site reset, dropping all database tables except users/usermeta and re-running wp_install(), which also assigns the Administrator role to the attacking subscriber account.
    Severity: 8.8 | HIGH
    Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Information

Vortech Consulting is a network security and design consulting firm originally founded in 1997. Over our nearly 30 year history we have provided security services and products for a wide variety of companies around the globe.

Who's Online

We have 262 guests and no members online