CVE News Feed
Updates on the latest vulnerabilities detected.
-
CVE-2025-1301 - Yordam Informatics Library Automation System Reflected Cross-site Scripting Vulnerability
CVE ID :CVE-2025-1301
Published : May 2, 2025, 11:15 a.m. | 1 hour, 9 minutes ago
Description :Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Yordam Informatics Library Automation System allows Reflected XSS.This issue affects Library Automation System: before 21.6.
Severity: 7.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-0427 - Arm Ltd Bifrost GPU, Valhall GPU, Arm 5th Gen GPU Architecture After Free Information Disclosure
CVE ID :CVE-2025-0427
Published : May 2, 2025, 10:15 a.m. | 2 hours, 10 minutes ago
Description :Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform valid GPU processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r8p0 through r49p3, from r50p0 through r51p0; Valhall GPU Kernel Driver: from r19p0 through r49p3, from r50p0 through r53p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p3, from r50p0 through r53p0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-0072 - Arm Ltd Valhall GPU Kernel Driver After Free Vulnerability
CVE ID :CVE-2025-0072
Published : May 2, 2025, 10:15 a.m. | 2 hours, 10 minutes ago
Description :Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU memory processing operations to gain access to already freed memory. This issue affects Valhall GPU Kernel Driver: from r29p0 through r49p3, from r50p0 through r53p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p3, from r50p0 through r53p0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-2812 - Mydata Informatics Ticket Sales Automation SQL Injection
CVE ID :CVE-2025-2812
Published : May 2, 2025, 9:15 a.m. | 3 hours, 9 minutes ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mydata Informatics Ticket Sales Automation allows Blind SQL Injection.This issue affects Ticket Sales Automation: before 03.04.2025 (DD.MM.YYYY).
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-11142 - Gosoft Software Proticaret E-Commerce CSRF Vulnerability
CVE ID :CVE-2024-11142
Published : May 2, 2025, 8:15 a.m. | 4 hours, 10 minutes ago
Description :Cross-Site Request Forgery (CSRF) vulnerability in Gosoft Software Proticaret E-Commerce allows Cross Site Request Forgery.This issue affects Proticaret E-Commerce: before v6.0 NOTE: According to the vendor, fixing process is still ongoing for v4.05.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13860 - Buddyboss WordPress Stored Cross-Site Scripting
CVE ID :CVE-2024-13860
Published : May 2, 2025, 7:15 a.m. | 5 hours, 9 minutes ago
Description :The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bbp_topic_title’ parameter in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13859 - Buddyboss WordPress Stored Cross-Site Scripting
CVE ID :CVE-2024-13859
Published : May 2, 2025, 7:15 a.m. | 5 hours, 9 minutes ago
Description :The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bp_nouveau_ajax_media_save’ function in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13858 - Buddyboss Platform Stored Cross-Site Scripting Vulnerability
CVE ID :CVE-2024-13858
Published : May 2, 2025, 7:15 a.m. | 5 hours, 9 minutes ago
Description :The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘invitee_name’ parameter in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-47201 - Intrexx Portal Server Cross-Site Scripting (XSS)
CVE ID :CVE-2025-47201
Published : May 2, 2025, 6:15 a.m. | 6 hours, 9 minutes ago
Description :In Intrexx Portal Server before 12.0.4, multiple Velocity-Scripts are susceptible to the execution of unrequested JavaScript code in HTML, aka XSS.
Severity: 4.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3514 - "SureForms WordPress Stored Cross-Site Scripting Vulnerability"
CVE ID :CVE-2025-3514
Published : May 2, 2025, 6:15 a.m. | 6 hours, 9 minutes ago
Description :The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3513 - "SureForms WordPress Stored Cross-Site Scripting"
CVE ID :CVE-2025-3513
Published : May 2, 2025, 6:15 a.m. | 6 hours, 9 minutes ago
Description :The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3488 - WordPress WPML Stored Cross-Site Scripting Vulnerability
CVE ID :CVE-2025-3488
Published : May 2, 2025, 6:15 a.m. | 6 hours, 9 minutes ago
Description :The WPML plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpml_language_switcher shortcode in versions 3.6.0 - 4.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3438 - WordPress WCFM Marketplace MStore API Privilege Escalation
CVE ID :CVE-2025-3438
Published : May 2, 2025, 6:15 a.m. | 6 hours, 9 minutes ago
Description :The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the 'wcfm_vendor' role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3858 - WordPress Formality Plugin Stored Cross-Site Scripting Vulnerability
CVE ID :CVE-2025-3858
Published : May 2, 2025, 4:15 a.m. | 8 hours, 9 minutes ago
Description :The Formality plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ parameter in all versions up to, and including, 1.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3748 - WordPress Taxonomy Chain Menu Stored Cross-Site Scripting
CVE ID :CVE-2025-3748
Published : May 2, 2025, 4:15 a.m. | 8 hours, 9 minutes ago
Description :The Taxonomy Chain Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's pn_chain_menu shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3709 - Agentflow from Flowring Technology Account Lockout Bypass Vulnerability
CVE ID :CVE-2025-3709
Published : May 2, 2025, 4:15 a.m. | 8 hours, 9 minutes ago
Description :Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3708 - Le-Yan Le-Show Medical SQL Injection Vulnerability
CVE ID :CVE-2025-3708
Published : May 2, 2025, 4:15 a.m. | 8 hours, 9 minutes ago
Description :Le-show medical practice management system from Le-yan has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3707 - Sunnet eHDR CTMS SQL Injection
CVE ID :CVE-2025-3707
Published : May 2, 2025, 4:15 a.m. | 8 hours, 9 minutes ago
Description :The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing remote attackers with regular privileges to inject arbitrary SQL command to read database contents.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-3510 - TagDiv Composer WordPress Stored Cross-Site Scripting Vulnerability
CVE ID :CVE-2025-3510
Published : May 2, 2025, 4:15 a.m. | 8 hours, 9 minutes ago
Description :The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-1327 - "Homey WordPress Theme Insecure Direct Object Reference Vulnerability"
CVE ID :CVE-2025-1327
Published : May 2, 2025, 4:15 a.m. | 8 hours, 9 minutes ago
Description :The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's accounts.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...