CVE Brief Security Intelligence

A high-severity vulnerability affects the DbGate cross-platform database manager.

A PHP object injection vulnerability exists in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress, allowing authenticated contributors to execute arbitrary code.

A SQL injection vulnerability exists in the ELEX WordPress HelpDesk & Customer Ticketing System affecting version 3 and below.

The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution due to missing authorization checks in versions up to 2.

A vulnerability exists in the WordPress Ultimate Product Catalog plugin, requiring immediate investigation.

A PHP object injection vulnerability in the Post Duplicator plugin for WordPress allows authenticated contributors to perform unauthorized actions or execute code.

The Events Calendar for GeoDirectory plugin for WordPress contains a PHP object injection vulnerability accessible to authenticated contributors.

A privilege escalation vulnerability in Microsoft Exchange Server due to weak authentication allows an authorized attacker to elevate privileges over a network.

An incorrect implementation of an authentication algorithm in Microsoft Exchange Server allows an unauthorized attacker to elevate privileges locally.

A security vulnerability exists in the WordPress Booking Calendar Contact Form plugin that may allow for unauthorized access or execution.

A security flaw has been identified in the WordPress Booking Calendar Contact Form, potentially impacting the confidentiality and integrity of the site.

The WordPress 404 Redirection Manager plugin contains a security vulnerability that may expose the application to unauthorized actions.

The BBS e-Franchise plugin for WordPress is affected by a security vulnerability that could lead to unauthorized system access.

The Answer My Question plugin for WordPress contains a security vulnerability that may allow for unauthorized access or data manipulation.

A sandbox bypass vulnerability in Foxit AI allows remote code execution when processing malicious PDF files containing embedded JavaScript.

Spring Cloud Gateway Server incorrectly forwards X-Forwarded-For and Forwarded headers from untrusted proxies in specific configurations.

The EventPrime plugin for WordPress contains an unauthenticated PHP object injection vulnerability, allowing remote attackers to execute arbitrary code.

A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server allows an authenticated attacker to disclose sensitive information over the network.

An improper neutralization of input vulnerability (Cross-Site Scripting) in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing attacks over a network.

On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters, allowing unauthorized data extraction.

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action.

Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint.

A stack-based buffer overflow vulnerability in the CGI program of Zyxel GS1900-48HPv2 firmware allows potential remote command execution.

Spring AI Vector Stores are vulnerable to arbitrary query execution in Elasticsearch, OpenSearch, and GemFire via special character injection.

A signed integer overflow in the ASN1_mbstring_ncopy() function of the OpenSSL library can lead to a heap-based buffer overflow.

A stack-based buffer overflow in the Erlang OTP erts inet_drv component allows unauthenticated remote attackers to crash the BEAM VM via a crafted SCTP ERROR chunk.

Really Simple SSL versions 9 and below contain an unauthenticated broken authentication vulnerability, potentially allowing unauthorized access to the application.

A race condition in the Linux kernel's Intel VT-d implementation during PASID entry replacement could lead to memory corruption or system instability.

An OS command injection vulnerability in the ping diagnostic handler of Altice Labs GR140DG routers allows authenticated remote attackers to execute arbitrary commands as root.

An OS command injection vulnerability in the traceroute diagnostic handler of Altice Labs GR140DG routers allows authenticated remote attackers to execute arbitrary commands as root.

Software running as a non-privileged user can trigger an out-of-bounds write in the kernel via intentional GPU sparse memory API calls.

An unauthenticated broken access control vulnerability exists in the AI Product Search for WooCommerce plugin, allowing unauthorized access to restricted search functionalities.

The Hippoo Mobile App for WooCommerce version 1 and below contains an unauthenticated broken access control vulnerability, allowing unauthorized access to restricted functions.

WP Engine Faust.Js contains an authentication bypass vulnerability that allows unauthorized password recovery exploitation.

ThemeGrill Masteriyo - LMS contains an incorrect privilege assignment vulnerability that permits unauthorized privilege escalation.

A heap buffer overflow vulnerability in GStreamer's librfb client allows remote attackers to trigger code execution via a malicious VNC server.

The B Blocks plugin for WordPress contains a privilege escalation vulnerability that allows contributors to gain unauthorized control over the system.

The TMS Amelia Plugin for WordPress contains an incorrect privilege assignment vulnerability that allows subscribers to escalate their privileges.

A privilege escalation vulnerability exists in the Dokan plugin, allowing authenticated users with the Customer role to gain unauthorized elevated access.

A SQL injection vulnerability in PowerPress Podcasting allows authenticated users with the Contributor role to execute arbitrary SQL commands against the database.

A SQL injection vulnerability in MasterStudy LMS allows authenticated users with the Subscriber role to execute arbitrary SQL commands.

A SQL injection vulnerability in the GamiPress plugin allows authenticated users with the Subscriber role to execute arbitrary SQL commands.

A SQL injection vulnerability in the WP Time Slots Booking Form plugin allows authenticated users with the Subscriber role to execute arbitrary SQL commands.

A SQL injection vulnerability in Subscriber Taskbuilder allows authenticated attackers with subscriber-level access to execute arbitrary database queries.

A SQL injection vulnerability exists in the WCMultiShipping plugin, enabling authenticated subscribers to manipulate database queries.

An unauthenticated insecure deserialization vulnerability in Paid Videochat Turnkey Site allows attackers to execute arbitrary code.

An unauthenticated privilege escalation vulnerability in WP BASE Booking allows unauthorized users to gain elevated administrative permissions.

A CSV formula injection vulnerability in MIA Technology software allows attackers to execute arbitrary system commands when a malicious CSV file is opened.

A path traversal vulnerability exists in the WP Customer Area plugin, potentially allowing unauthorized access to sensitive files on the host server.

A mass assignment vulnerability in Flowise allows an authenticated user to take over custom templates belonging to other workspaces.

A security vulnerability exists within the Flowise drag-and-drop interface used for building customized large language model flows.

A security vulnerability exists within the Flowise drag-and-drop interface used for building customized large language model flows.

A security vulnerability exists within the Flowise drag-and-drop interface used for building customized large language model flows.

A security vulnerability in Config::IniFiles versions prior to 3 may allow for unauthorized manipulation or information disclosure within configuration files.

An unauthenticated arbitrary file deletion vulnerability exists in the Contact Form Extender for Divi plugin, allowing remote attackers to remove files from the server.

A guessable session cookie vulnerability in the GeoVision LPC2011/LPC2211 web interface allows unauthorized access to administrative sessions.

A vulnerability exists in the 'tmp' node package, which is used for creating temporary files and directories.

A security vulnerability has been identified in the Vim open-source command-line text editor.

A broken authentication vulnerability in the CloudSecure WP Security plugin allows unauthenticated attackers to bypass security controls.

A vulnerability in Adobe ColdFusion 2023 may expose the system to unauthorized access or remote code execution depending on the specific configuration.

A security flaw exists in Samba's certificate auto-enrollment Group Policy handling mechanism.