| CVE-2025-23201 | librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to Cross-site Scripting (XSS) on the parameters:`/addhost` -> param: community. Librenms versions up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been addressed in release version 24.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | medium |
| CVE-2025-23200 | librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameter: `ajax_form.php` -> param: state. Librenms versions up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been addressed in release version 24.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | medium |
| CVE-2025-23199 | librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameter: `/ajax_form.php` -> param: descr. Librenms version up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been addressed in release version 24.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | medium |
| CVE-2025-23198 | librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):`/device/$DEVICE_ID/edit` -> param: display. Librenms versions up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been addressed in release version 24.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | medium |
| CVE-2024-57785 | Zenitel AlphaWeb XE v11.2.3.10 was discovered to contain a local file inclusion vulnerability via the component amc_uploads.php. | critical |
| CVE-2024-57784 | An issue in the component /php/script_uploads.php of Zenitel AlphaWeb XE v11.2.3.10 allows attackers to execute a directory traversal. | critical |
| CVE-2024-57704 | Tenda AC8v4 V16.03.34.06 has a stack overflow vulnerability. Affected by this vulnerability is the function setSchedWifi of the file /goform/openSchedWifi. The manipulation of the argument schedStartTime leads to stack-based buffer overflow. | critical |
| CVE-2024-57703 | Tenda AC8v4 V16.03.34.06 has a stack overflow vulnerability. Affected by this vulnerability is the function setSchedWifi of the file /goform/openSchedWifi. The manipulation of the argument schedEndTime leads to stack-based buffer overflow. | critical |
| CVE-2024-56144 | librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):`/device/$DEVICE_ID/edit` -> param: display. Librenms versions up to 24.11.0 allow remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. This issue has been addressed in release version 24.12.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | medium |
| CVE-2024-53553 | An issue in OPEXUS FOIAXPRESS PUBLIC ACCESS LINK v11.1.0 allows attackers to bypass authentication via crafted web requests. | critical |
| CVE-2024-40514 | Insecure Permissions vulnerability in themesebrand Chatvia v.5.3.2 allows a remote attacker to escalate privileges via the User profile name and image upload functions. | high |
| CVE-2024-40513 | An issue in themesebrand Chatvia v.5.3.2 allows a remote attacker to execute arbitrary code via the User profile Upload image function. | critical |
| CVE-2023-22139 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it is mistakenly published by the other party. | No Score |
| CVE-2019-3309 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it is mistakenly published by the other party. | No Score |
| CVE-2024-55511 | A null pointer dereference vulnerability in Macrium Reflect prior to 8.1.8017 allows an attacker to elevate their privileges via executing a specially crafted executable. | high |
| CVE-2024-54660 | A JNDI injection issue was discovered in Cloudera JDBC Connector for Hive before 2.6.26 and JDBC Connector for Impala before 2.6.35. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This could lead to remote code execution. JNDI injection is possible via the JDBC connection property krbJAASFile for the Java Authentication and Authorization Service (JAAS). Using untrusted parameters in the krbJAASFile and/or remote host can trigger JNDI injection in the JDBC URL through the krbJAASFile. | critical |
| CVE-2024-48460 | An issue in Eugeny Tabby 1.0.213 allows a remote attacker to obtain sensitive information via the server and sends the SSH username and password even when the host key verification fails. | high |
| CVE-2024-46450 | Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass authentication via a crafted web request. | critical |
| CVE-2025-23965 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kopatheme Kopa Nictitate Toolkit allows Stored XSS.This issue affects Kopa Nictitate Toolkit: from n/a through 1.0.2. | medium |
| CVE-2025-23963 | Missing Authorization vulnerability in Sven Hofmann & Michael Schoenrock Mark Posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mark Posts: from n/a through 2.2.3. | medium |
| CVE-2025-23962 | Missing Authorization vulnerability in Goldstar Goldstar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Goldstar: from n/a through 2.1.1. | medium |
| CVE-2025-23961 | Missing Authorization vulnerability in WP Tasker WordPress Graphs & Charts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Graphs & Charts: from n/a through 2.0.8. | medium |
| CVE-2025-23957 | Missing Authorization vulnerability in Sur.ly Sur.ly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sur.ly: from n/a through 3.0.3. | medium |
| CVE-2025-23955 | Missing Authorization vulnerability in xola.com Xola allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xola: from n/a through 1.6. | medium |
| CVE-2025-23954 | Missing Authorization vulnerability in AWcode & KingfisherFox Salvador – AI Image Generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salvador – AI Image Generator: from n/a through 1.0.11. | medium |
| CVE-2025-23951 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DivEngine Gallery: Hybrid – Advanced Visual Gallery allows Stored XSS.This issue affects Gallery: Hybrid – Advanced Visual Gallery: from n/a through 1.4.0.2. | medium |
| CVE-2025-23950 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Said Shiripour EZPlayer allows Stored XSS.This issue affects EZPlayer: from n/a through 1.0.10. | medium |
| CVE-2025-23947 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M.J WP-Player allows Stored XSS.This issue affects WP-Player: from n/a through 2.6.1. | medium |
| CVE-2025-23946 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in le Pixel Solitaire Enhanced YouTube Shortcode allows Stored XSS.This issue affects Enhanced YouTube Shortcode: from n/a through 2.0.1. | medium |
| CVE-2025-23943 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arul PDF.js Shortcode allows Stored XSS.This issue affects PDF.js Shortcode: from n/a through 1.0. | medium |
| CVE-2025-23941 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Meinturnierplan.de Team MeinTurnierplan.de Widget Viewer allows Stored XSS.This issue affects MeinTurnierplan.de Widget Viewer: from n/a through 1.1. | medium |
| CVE-2025-23940 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saiem Khan Image Switcher allows Stored XSS.This issue affects Image Switcher: from n/a through 0.1.1. | medium |
| CVE-2025-23939 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saiem Khan Image Switcher allows Stored XSS.This issue affects Image Switcher: from n/a through 1.1. | medium |
| CVE-2025-23936 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harun R. Rayhan (Cr@zy Coder) CC Circle Progress Bar allows Stored XSS.This issue affects CC Circle Progress Bar: from n/a through 1.0.0. | medium |
| CVE-2025-23935 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magic Plugin Factory Magic Google Maps allows Stored XSS.This issue affects Magic Google Maps: from n/a through 1.0.4. | medium |
| CVE-2025-23934 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PromoSimple Giveaways and Contests by PromoSimple allows Stored XSS.This issue affects Giveaways and Contests by PromoSimple: from n/a through 1.24. | medium |
| CVE-2025-23933 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpFreeware WpF Ultimate Carousel allows Stored XSS.This issue affects WpF Ultimate Carousel: from n/a through 1.0.11. | medium |
| CVE-2025-23930 | Missing Authorization vulnerability in iTechArt-Group PayPal Marketing Solutions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PayPal Marketing Solutions: from n/a through 1.2. | medium |
| CVE-2025-23929 | Missing Authorization vulnerability in wishfulthemes Email Capture & Lead Generation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Email Capture & Lead Generation: from n/a through 1.0.2. | medium |
| CVE-2025-23928 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Arsovski Google Org Chart allows Stored XSS.This issue affects Google Org Chart: from n/a through 1.0.1. | medium |
| CVE-2025-23927 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Massimo Serpilli Incredible Font Awesome allows Stored XSS.This issue affects Incredible Font Awesome: from n/a through 1.0. | medium |
| CVE-2025-23926 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TC Ajax WP Query Search Filter allows Stored XSS.This issue affects Ajax WP Query Search Filter: from n/a through 1.0.7. | medium |
| CVE-2025-23925 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jimmy Peña Feedburner Optin Form allows Stored XSS.This issue affects Feedburner Optin Form: from n/a through 0.2.8. | medium |
| CVE-2025-23924 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jérémy Heleine WP Photo Sphere allows Stored XSS.This issue affects WP Photo Sphere: from n/a through 3.8. | medium |
| CVE-2025-23922 | Cross-Site Request Forgery (CSRF) vulnerability in Harsh iSpring Embedder allows Upload a Web Shell to a Web Server.This issue affects iSpring Embedder: from n/a through 1.0. | critical |
| CVE-2025-23919 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Ella van Durpe Slides & Presentations allows Code Injection.This issue affects Slides & Presentations: from n/a through 0.0.39. | medium |
| CVE-2025-23917 | Missing Authorization vulnerability in Chandrika Guntur, Morgan Kay Chamber Dashboard Business Directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chamber Dashboard Business Directory: from n/a through 3.3.8. | medium |
| CVE-2025-23916 | Missing Authorization vulnerability in Nuanced Media WP Meetup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Meetup: from n/a through 2.3.0. | medium |
| CVE-2025-23915 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roninwp FAT Event Lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through 1.1. | high |
| CVE-2025-23913 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pankajpragma, rahulpragma WordPress Google Map Professional allows SQL Injection.This issue affects WordPress Google Map Professional: from n/a through 1.0. | high |
