Full List

Search

Recent Vulnerabilities

• CVE-2025-29708 • published on April 16, 2025 SourceCodester Company Website CMS 1.0 contains a file upload vulnerability via the "Create Services" file /dashboard/Services.
• CVE-2025-29709 • published on April 16, 2025 SourceCodester Company Website CMS 1.0 has a File upload vulnerability via the "Create portfolio" file /dashboard/portfolio.
• CVE-2025-43703 • published on April 16, 2025 An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists because of an incomplete fix for CVE-2024-32484.
• CVE-2025-43704 • published on April 16, 2025 Arctera/Veritas Data Insight before 7.1.2 can send cleartext credentials when configured to use HTTP Basic Authentication to a Dell Isilon OneFS server.
• CVE-2025-30215 • published on April 15, 2025 NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents. This vulnerability is fixed in v2.11.1 or v2.10.27.
• CVE-2025-32385 • published on April 15, 2025 EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially tricking users and creating a phishing risk. The iframe URL is user-defined, so an attacker would need to trick the user into specifying a malicious URL. The missing sandbox attribute also allows the remote page to send messages to the parent frame. However, EspoCRM does not make use of these messages. This vulnerability is fixed in 9.0.5.
• CVE-2025-32388 • published on April 15, 2025 SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. This vulnerability is fixed in 2.20.6.
• CVE-2025-32435 • published on April 15, 2025 Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectively.
• CVE-2025-32782 • published on April 15, 2025 Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client. This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only. This vulnerability is fixed in 4.7.0.
• CVE-2025-27929 • published on April 15, 2025 Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
• CVE-2025-24315 • published on April 15, 2025 Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).
• CVE-2025-32784 • published on April 15, 2025 conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. In versions prior to 2025.4.10, a race condition vulnerability has been identified in the conda-forge-webservices component used within the shared build infrastructure. This vulnerability, categorized as a Time-of-Check to Time-of-Use (TOCTOU) issue, can be exploited to introduce unauthorized modifications to build artifacts stored in the cf-staging Anaconda channel. Exploitation may result in the unauthorized publication of malicious artifacts to the production conda-forge channel. The core vulnerability results from the absence of atomicity between the hash validation and the artifact copy operation. This gap allows an attacker, with access to the cf-staging token, to overwrite the validated artifact with a malicious version immediately after hash verification, but before the copy action is executed. As the cf-staging channel permits artifact overwrites, such an operation can be carried out using the anaconda upload --force command. This vulnerability is fixed in 2025.4.10.
• CVE-2025-27561 • published on April 15, 2025 Unauthenticated attackers can rename "rooms" of arbitrary users.
• CVE-2025-32923 • published on April 15, 2025 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Tourmaster allows Reflected XSS. This issue affects Tourmaster: from n/a through n/a.
• CVE-2025-30984 • published on April 15, 2025 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound SEO Tools allows Reflected XSS. This issue affects SEO Tools: from n/a through 4.0.7.
• CVE-2025-30982 • published on April 15, 2025 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookProgress by Stormhill Media allows Stored XSS. This issue affects MyBookProgress by Stormhill Media: from n/a through 1.0.8.
• CVE-2025-30970 • published on April 15, 2025 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Contact allows Reflected XSS. This issue affects Easy Contact: from n/a through 0.1.2.
• CVE-2025-30967 • published on April 15, 2025 Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard allows Upload a Web Shell to a Web Server. This issue affects WPJobBoard: from n/a through n/a.
• CVE-2025-30966 • published on April 15, 2025 Path Traversal vulnerability in NotFound WPJobBoard allows Path Traversal. This issue affects WPJobBoard: from n/a through n/a.
• CVE-2025-27011 • published on April 15, 2025 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam Booking and Rental Manager allows PHP Local File Inclusion. This issue affects Booking and Rental Manager: from n/a through 2.2.8.