Critical vulnerabilities, curated daily for security professionals
ðŊ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
ð
Archived Security Brief
This week's security landscape witnessed an alarming surge in critical vulnerabilities, with 120+ critical flaws discovered including a perfect CVSS 10.0 score in Elementor Forms, multiple authentication bypasses in WordPress plugins, and critical infrastructure threats to Kapsch TrafficCom systems. With 9 actively exploited vulnerabilities and multiple KEV deadlines approaching, organizations face an elevated threat level heading into September.
ðī Week's Most Critical: CVSS 10.0 - Elementor Forms unrestricted web shell upload affecting millions of WordPress sites
ð Weekly Statistics: 120+ critical vulnerabilities, 500+ high-priority issues, only 17% have available patches
â ïļ Infrastructure Alert: Kapsch TrafficCom RSUs shipped with Android Debug Bridge and weak BIOS passwords
ðŊ Active Exploitation: 9 CISA KEV vulnerabilities including Citrix NetScaler, WinRAR, and Trend Micro Apex One
ð Upcoming Deadlines: WinRAR KEV expires September 1 (Monday), multiple critical patches needed before week starts
Immediate action: Use the weekend to patch critical vulnerabilities before Monday's business operations. Priority: Elementor Forms (CVSS 10.0), WordPress authentication bypasses, and prepare for WinRAR KEV deadline on September 1.
ðĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ïļ
CISA Known Exploited Vulnerabilities
â ïļ CISA KEVURGENT
CVE-2025-8088
9.5
RARLABWinRAR
â° Federal Deadline:September 1, 2025(2 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ïļ CISA KEVURGENT
CVE-2007-0671
9.5
MicrosoftOffice
â° Federal Deadline:September 1, 2025(2 days remaining)
Microsoft Office Excel Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ïļ CISA KEVURGENT
CVE-2013-3893
9.5
MicrosoftInternet Explorer
â° Federal Deadline:September 1, 2025(2 days remaining)
Microsoft Internet Explorer Resource Management Errors Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ïļ CISA KEV
CVE-2025-54948
9.5ð
Trend MicroApex One
â° Federal Deadline:September 7, 2025(8 days remaining)
Trend Micro Apex One OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ïļ CISA KEV
CVE-2025-43300
9.5ð
AppleiOS, iPadOS, and macOS
â° Federal Deadline:September 10, 2025(11 days remaining)
Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ïļ CISA KEV
CVE-2025-48384
9.5
GitGit
â° Federal Deadline:September 14, 2025(15 days remaining)
Git Link Following Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ïļ CISA KEV
CVE-2024-8068
9.5
CitrixSession Recording
â° Federal Deadline:September 14, 2025(15 days remaining)
Citrix Session Recording Improper Privilege Management Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ïļ CISA KEV
CVE-2024-8069
9.5
CitrixSession Recording
â° Federal Deadline:September 14, 2025(15 days remaining)
Citrix Session Recording Deserialization of Untrusted Data Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ïļ CISA KEV
CVE-2025-57819
9.5
SangomaFreePBX
â° Federal Deadline:September 18, 2025(21 days remaining)
Sangoma FreePBX Authentication Bypass Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
ðĻ
Critical Vulnerabilities
CVE-2025-44033
9.8ð
SQL injection vulnerability inMultiple Products
SQL injection vulnerability in oa_system oasys v.1.1 allows a remote attacker to execute arbitrary code via the allDirector() method declaration in src/main/java/cn/gson/oasys/mappers/AddressMapper.ja...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-8861
9.8ð
TSA developed by Changing has a Missing AuthenticationMultiple Products
TSA developed by Changing has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-7955
9.8ð
The RingCentral Communications plugin for WordPress is vulnerable to Authentication Bypass due to improper validation within theMultiple Products
The RingCentral Communications plugin for WordPress is vulnerable to Authentication Bypass due to improper validation within the ringcentral_admin_login_2fa_verify() function in versions 1.5 to 1.6.8....
Incorrect Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin allows Privilege Escalation. This issue affects Miraculous Core Plugin: from n/a through 2.0.7.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-49387
10ð
Unrestricted Upload of File with Dangerous Type vulnerability inMultiple Products
Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms allows Upload a Web Shell to a Web Server. This issue affects Drag and Drop F...
CVSS Base10
â
CRSSelect profile
CVE-2025-58159
9.9ð
WeGIA is a Web manager for charitableMultiple Products
WeGIA is a Web manager for charitable institutions. Prior to version 3.4.11, a remote code execution vulnerability was identified, caused by improper validation of uploaded files. The application allo...
CVSS Base9.9
â
CRSSelect profile
CVE-2025-53970
9.8ð
UnknownMultiple Products
SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to upload arbitrary files and execute OS commands with SYSTEM privileges.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-54762
9.8ð
UnknownMultiple Products
SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to upload arbitrary files and execute OS commands with SYSTEM privileges.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-55583
9.8ð
UnknownMultiple Products
D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the fileaccess.cgi component. The endpoint /dws/api/UploadFile accepts a pre_ap...
CVSS Base9.8
â
CRSSelect profile
CVE-2025-8857
9.8ð
Clinic Image System developed by Changing containsMultiple Products
Clinic Image System developed by Changing contains hard-coded Credentials, allowing unauthenticated remote attackers to log into the system using administrator credentials embedded in the source code.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-48100
9.1ð
Improper Control of Generation of CodeMultiple Products
Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator allows Remote Code Inclusion. This issue affects bidorbuy Store Integrator: from n/a th...
CVSS Base9.1
â
CRSSelect profile
CVE-2025-52761
9.8ð
Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager allows ObjectMultiple Products
Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager allows Object Injection. This issue affects WP Funnel Manager: from n/a through 1.4.0.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-54725
9.8ð
Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo allows AuthenticationMultiple Products
Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo allows Authentication Abuse. This issue affects Golo: from n/a through 1.7.0.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-54738
9.8ð
Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobmonster allows AuthenticationMultiple Products
Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobmonster allows Authentication Abuse. This issue affects Jobmonster: from n/a through 4.7.9.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-39496
9.3ð
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW WooBeWoo Product Filter Pro allows SQL Injection.This issue affects WooBeWoo Product Filter Pr...
CVSS Base9.3
â
CRSSelect profile
CVE-2025-54720
9.3ð
Improper Neutralization of Special Elements used in an SQL CommandMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SteelThemes Nest Addons allows SQL Injection. This issue affects Nest Addons: from n/a through 1.6...
CVSS Base9.3
â
CRSSelect profile
CVE-2025-58048
9.9ð
Paymenter is a free andMultiple Products
Paymenter is a free and open-source webshop solution for hostings. Prior to version 1.2.11, the ticket attachments functionality in Paymenter allows a malicious authenticated user to upload arbitrary ...
CVSS Base9.9
â
CRSSelect profile
CVE-2025-9605
9.8
A security vulnerability has been detected in TendaMultiple Products
A security vulnerability has been detected in Tenda AC21 and AC23 16.03.08.16. Affected is the function GetParentControlInfo of the file /goform/GetParentControlInfo. Such manipulation of the argument...
CVSS Base9.8
â
CRSSelect profile
CVE-2024-46484
9.8
TRENDnetMultiple Products
TRENDnet TV-IP410 vA1.0R was discovered to contain an OS command injection vulnerability via the /server/cgi-bin/testserv.cgi component.
CVSS Base9.8
â
CRSSelect profile
CVE-2025-58059
9.1
Valtimo is a platform for Business ProcessMultiple Products
Valtimo is a platform for Business Process Automation. In versions before 12.16.0.RELEASE, and from 13.0.0.RELEASE to before 13.1.2.RELEASE, any admin that can create or modify and execute process-def...
CVSS Base9.1
â
CRSSelect profile
â ïļ
High Priority Updates
CVE-2025-8858
7.5ð
ClinicMultiple Products
Clinic Image System developed by Changing has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents
CVSS Base7.5
â
CRSSelect profile
CVE-2024-13342
8.1ð
WordPressMultiple Products
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_files_to_order' function in all versions up to, and including, 7
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49383
8.1ð
CocoBasic NeresaMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CocoBasic Neresa allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49405
8.1ð
favethemes HouzezMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in favethemes Houzez allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53216
8.1ð
ThemeUniver GlamerMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeUniver Glamer allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53227
8.1ð
Unfoldwp MagazineMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magazine Saga allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53244
8.1ð
Unfoldwp MagazineMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magazine Elite allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53247
8.1ð
WPInterface BlogMarksMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPInterface BlogMarks allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53248
8.1ð
Unfoldwp MagazineMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magazine allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53334
8.1ð
ImproperMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53576
8.1ð
ovatheme OvathemeMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ovatheme Events allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53578
8.1ð
ImproperMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kipso allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-54716
8.1ð
ImproperMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ireca allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2025-49404
8.5ð
purethemesMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in purethemes Listeo-Core allows SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2025-53326
7.5ð
CodeYatri GutenifyMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodeYatri Gutenify allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-53328
7.5ð
Assaf ParagMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Assaf Parag Poll, Survey & Quiz Maker Plugin by Opinion Stage allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-53243
8.1ð
WordPressMultiple Products
Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory â Staff Listing & Team Directory Plugin for WordPress allows Object Injection
CVSS Base8.1
â
CRSSelect profile
CVE-2025-7812
8.8
WordPressMultiple Products
The Video Share VOD â Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2
CVSS Base8.8
â
CRSSelect profile
CVE-2025-56577
8.4
issueMultiple Products
An issue in Evope Core v
CVSS Base8.4
â
CRSSelect profile
CVE-2025-55177
8
IncompleteMultiple Products
Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2
CVSS Base8
â
CRSSelect profile
CVE-2025-58322
7.8
WindowsMultiple Products
NAVER MYBOX Explorer for Windows before 3
CVSS Base7.8
â
CRSSelect profile
CVE-2025-58323
7.7
WindowsMultiple Products
NAVER MYBOX Explorer for Windows before 3
CVSS Base7.7
â
CRSSelect profile
CVE-2024-13807
7.5
WordPressMultiple Products
The Xagio SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7
CVSS Base7.5
â
CRSSelect profile
CVE-2025-57767
7.5
AsteriskMultiple Products
Asterisk is an open source private branch exchange and telephony toolkit
CVSS Base7.5
â
CRSSelect profile
CVE-2025-48304
7.1
GoogleMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in Gary Illyes Google XML News Sitemap plugin allows Stored XSS
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in extendons WooCommerce csv import export allows Path Traversal
CVSS Base7.7
â
CRSSelect profile
CVE-2025-53230
7.6
PageMultiple Products
Missing Authorization vulnerability in honzat Page Manager for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base7.6
â
CRSSelect profile
CVE-2025-54742
8.8
magepeopleteamMultiple Products
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2025-9639
7.5
QbiCRMGatewayMultiple Products
The QbiCRMGateway developed by Ai3 has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files
CVSS Base7.5
â
CRSSelect profile
CVE-2025-53572
8.1
Deserialization ofMultiple Products
Deserialization of Untrusted Data vulnerability in emarket-design WP Easy Contact allows Object Injection
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53583
8.1
Deserialization ofMultiple Products
Deserialization of Untrusted Data vulnerability in emarket-design Employee Spotlight allows Object Injection
CVSS Base8.1
â
CRSSelect profile
CVE-2025-53584
8.1
Deserialization ofMultiple Products
Deserialization of Untrusted Data vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System allows Object Injection
CVSS Base8.1
â
CRSSelect profile
CVE-2025-9578
7.8
LocalMultiple Products
Local privilege escalation due to insecure folder permissions
CVSS Base7.8
â
CRSSelect profile
CVE-2025-55763
7.5
BufferMultiple Products
Buffer Overflow in the URI parser of CivetWeb 1
CVSS Base7.5
â
CRSSelect profile
CVE-2025-58158
8.8
HarnessMultiple Products
Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries
CVSS Base8.8
â
CRSSelect profile
CVE-2025-48963
7.3
LocalMultiple Products
Local privilege escalation due to improper soft link handling
CVSS Base7.3
â
CRSSelect profile
CVE-2025-39247
8.6
some HikCentralMultiple Products
There is an Access Control Vulnerability in some HikCentral Professional versions
CVSS Base8.6
â
CRSSelect profile
CVE-2025-8067
8.5
flawMultiple Products
A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-BUS system
CVSS Base8.5
â
CRSSelect profile
CVE-2025-54731
8.1
ImproperMultiple Products
Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase allows Object Injection
CVSS Base8.1
â
CRSSelect profile
CVE-2025-58334
8.1
ServicesMultiple Products
In JetBrains IDE Services before 2025
CVSS Base8.1
â
CRSSelect profile
CVE-2024-46916
8.1
SuiteMultiple Products
Diebold Nixdorf Vynamic Security Suite through 4
CVSS Base8.1
â
CRSSelect profile
CVE-2024-46917
8.1
SuiteMultiple Products
Diebold Nixdorf Vynamic Security Suite through 4
CVSS Base8.1
â
CRSSelect profile
CVE-2025-43187
7.8
ThisMultiple Products
This issue was addressed by removing the vulnerable code
CVSS Base7.8
â
CRSSelect profile
CVE-2025-43268
7.8
permissionsMultiple Products
A permissions issue was addressed with additional restrictions
CVSS Base7.8
â
CRSSelect profile
CVE-2023-41471
7.8
copyparty Cross SiteMultiple Products
Cross Site Scripting vulnerability in copyparty v
CVSS Base7.8
â
CRSSelect profile
CVE-2025-53588
7.7
DmitryMultiple Products
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Dmitry V
CVSS Base7.7
â
CRSSelect profile
CVE-2025-36003
7.5
IBMMultiple Products
IBM Security Verify Governance Identity Manager 10
CVSS Base7.5
â
CRSSelect profile
CVE-2025-46409
7.5
InadequateMultiple Products
Inadequate encryption strength issue exists in SS1 Ver
CVSS Base7.5
â
CRSSelect profile
CVE-2025-58072
7.5
ImproperMultiple Products
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in SS1 Ver
CVSS Base7.5
â
CRSSelect profile
CVE-2025-58081
7.5
UseMultiple Products
Use of hard-coded password issue/vulnerability in SS1 Ver
CVSS Base7.5
â
CRSSelect profile
CVE-2025-58047
7.5
VoltoMultiple Products
Volto is a React based frontend for the Plone Content Management System
CVSS Base7.5
â
CRSSelect profile
CVE-2025-57215
7.5
TendaMultiple Products
Tenda AC10 v4
CVSS Base7.5
â
CRSSelect profile
CVE-2025-6203
7.5
maliciousMultiple Products
A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault
CVSS Base7.5
â
CRSSelect profile
CVE-2025-58157
7.5
gnarkMultiple Products
gnark is a zero-knowledge proof system framework
CVSS Base7.5
â
CRSSelect profile
CVE-2025-9592
7.3
ManagementMultiple Products
A vulnerability was detected in itsourcecode Apartment Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9593
7.3
ManagementMultiple Products
A flaw has been found in itsourcecode Apartment Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9594
7.3
ManagementMultiple Products
A vulnerability has been found in itsourcecode Apartment Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9596
7.3
ManagementMultiple Products
A vulnerability was determined in itsourcecode Sports Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9597
7.3
ManagementMultiple Products
A vulnerability was identified in itsourcecode Apartment Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9598
7.3
ManagementMultiple Products
A security flaw has been discovered in itsourcecode Apartment Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-40927
7.3
versionsMultiple Products
CGI::Simple versions before 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9599
7.3
ManagementMultiple Products
A weakness has been identified in itsourcecode Apartment Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9600
7.3
ManagementMultiple Products
A security vulnerability has been detected in itsourcecode Apartment Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9601
7.3
ManagementMultiple Products
A vulnerability was detected in itsourcecode Apartment Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9610
7.3
JudgingMultiple Products
A vulnerability was determined in code-projects Online Event Judging System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9643
7.3
ManagementMultiple Products
A vulnerability was found in itsourcecode Apartment Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9644
7.3
ManagementMultiple Products
A vulnerability was determined in itsourcecode Apartment Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9645
7.3
ManagementMultiple Products
A vulnerability was identified in itsourcecode Apartment Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-47909
7.3
HostsMultiple Products
Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9660
7.3
OrderingMultiple Products
A vulnerability was found in SourceCodester Bakeshop Online Ordering System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9662
7.3
GradingMultiple Products
A vulnerability was determined in code-projects Simple Grading System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9669
7.3
JinherMultiple Products
A vulnerability has been found in Jinher OA 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-9678
7.3
ManagementMultiple Products
A weakness has been identified in Campcodes Online Loan Management System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2025-53508
7.2
MultipleMultiple Products
Multiple products provided by iND Co
CVSS Base7.2
â
CRSSelect profile
CVE-2025-48109
7.1
Xavier MediaMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in Xavier Media XM-Backup allows Stored XSS
Cross-Site Request Forgery (CSRF) vulnerability in thaihavnn07 ATT YouTube Widget allows Stored XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-49407
7.1
favethemes HouzezMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53215
7.1
ImproperMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8bitkid Yahoo! WebPlayer allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53220
7.1
XmasB XmasB QuotesMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XmasB XmasB Quotes allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53223
7.1
undoITMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in undoIT Theme Switcher Reloaded allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53224
7.1
Koen Schuit NextGENMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Koen Schuit NextGEN Gallery Search allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53225
7.1
eboekhoudenMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eboekhouden e-Boekhouden
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53289
7.1
JasonMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jason Theme Blvd Widget Areas allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53579
7.1
ImproperMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in captcha
CVSS Base7.1
â
CRSSelect profile
CVE-2025-54710
7.1
bPlugins Tiktok FeedMultiple Products
Missing Authorization vulnerability in bPlugins Tiktok Feed allows Accessing Functionality Not Properly Constrained by ACLs
CVSS Base7.1
â
CRSSelect profile
CVE-2025-54714
7.1
ProjectMultiple Products
Missing Authorization vulnerability in Dylan James Zephyr Project Manager allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base7.1
â
CRSSelect profile
CVE-2025-54724
7.1
ImproperMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Golo allows Reflected XSS
CVSS Base7.1
â
CRSSelect profile
CVE-2025-53396
7
IncorrectMultiple Products
Incorrect permission assignment for critical resource issue exists in SS1 Ver