Full List

Search

Recent Vulnerabilities

• CVE-2025-3520 • published on April 18, 2025 The Avatar plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 0.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
• CVE-2025-0467 • published on April 18, 2025 Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data outside the Guest's virtualised GPU memory.
• CVE-2025-25427 • published on April 18, 2025 A stored cross-site scripting (XSS) vulnerability in the upnp.htm page of the web Interface in TP-Link WR841N v14/v14.6/v14.8 = Build 241230 Rel. 50788n allows remote attackers to inject arbitrary JavaScript code via the port mapping description. This leads to an execution of the JavaScript payload when the upnp page is loaded.
• CVE-2024-29643 • published on April 18, 2025 An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component.
• CVE-2024-41447 • published on April 18, 2025 A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the author parameter under the Create/Modify article function.
• CVE-2024-46089 • published on April 18, 2025 74cms =3.33 is vulnerable to remote code execution (RCE) in the background interface apiadmin.
• CVE-2024-53591 • published on April 18, 2025 An issue in the login page of Seclore v3.27.5.0 allows attackers to bypass authentication via a brute force attack.
• CVE-2024-57493 • published on April 18, 2025 An issue in redoxOS relibc before commit 98aa4ea5 allows a local attacker to cause a denial of service via the setsockopt function.
• CVE-2025-25983 • published on April 18, 2025 An issue in Macro-video Technologies Co.,Ltd V380 Pro android application 2.1.44 and V380 Pro android application 2.1.64 allows an attacker to obtain sensitive information via the QE code based sharing component.
• CVE-2025-25984 • published on April 18, 2025 An issue in Macro-video Technologies Co.,Ltd V380E6_C1 IP camera (Hw_HsAKPIQp_WF_XHR) 1020302 allows a physically proximate attacker to execute arbitrary code via UART component.
• CVE-2025-25985 • published on April 18, 2025 An issue in Macro-video Technologies Co.,Ltd V380E6_C1 IP camera (Hw_HsAKPIQp_WF_XHR) 1020302 allows a physically proximate attacker to execute arbitrary code via the /mnt/mtd/mvconf/wifi.ini and /mnt/mtd/mvconf/user_info.ini components.
• CVE-2025-28059 • published on April 18, 2025 An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.
• CVE-2025-28232 • published on April 18, 2025 Incorrect access control in the HOME.php endpoint of JMBroadcast JMB0150 Firmware v1.0 allows attackers to access the Admin panel without authentication.
• CVE-2025-28242 • published on April 18, 2025 Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack.
• CVE-2025-28197 • published on April 18, 2025 Crawl4AI =0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py.
• CVE-2025-28231 • published on April 18, 2025 Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges.
• CVE-2025-28237 • published on April 18, 2025 An issue in WorldCast Systems ECRESO FM/DAB/TV Transmitter v1.10.1 allows authenticated attackers to escalate privileges via a crafted JSON payload.
• CVE-2025-28228 • published on April 18, 2025 A credential exposure vulnerability in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and Display v1.4, v1.2 allows unauthorized attackers to access credentials in plaintext.
• CVE-2025-28229 • published on April 18, 2025 Incorrect access control in Orban OPTIMOD 5950 Firmware v1.0.0.2 and System v2.2.15 allows attackers to bypass authentication and gain Administrator privileges.
• CVE-2025-28230 • published on April 18, 2025 Incorrect access control in JMBroadcast JMB0150 Firmware v1.0 allows attackers to access hardcoded administrator credentials.