| CVE-2024-12511 | With address book access, SMB/FTP settings could be modified, redirecting scans and possibly capturing credentials. This requires enabled scan functions and printer access. | high |
| CVE-2024-11134 | The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'eventer_export_bookings_csv' function in all versions up to, and including, 3.9.9. This makes it possible for authenticated attackers with subscriber-level permissions or above, to download bookings, which contains customers' personal data. | medium |
| CVE-2024-11133 | The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_pdf_download_request' function in all versions up to, and including, 3.9.9. This makes it possible for unauthenticated attackers to download event tickets. | medium |
| CVE-2024-11132 | The Eventer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | medium |
| CVE-2024-57238 | Prolink 4G LTE Mobile Wi-Fi DL-7203E V4.0.0B05 is vulnerable to SQL Injection in in the /reqproc/proc_get endpoint. The vulnerability allows an attacker to manipulate SQL queries by injecting malicious SQL code into the order_by parameter. | critical |
| CVE-2024-57237 | Prolink 4G LTE Mobile Wi-Fi DL-7203E V4.0.0B05 is vulnerable to Cross Site Scripting (XSS) in the /reqproc/proc_get endpoint. The vulnerability arises because the cmd parameter does not properly sanitize input and the response is served with a Content-Type of text/html. This behavior allows the browser to execute injected JavaScript code. | medium |
| CVE-2024-57004 | Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session. | medium |
| CVE-2024-50656 | itsourcecode Placement Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Full Name field in registration.php. | medium |
| CVE-2024-12510 | If LDAP settings are accessed, authentication could be redirected to another server, potentially exposing credentials. This requires admin access and an active LDAP setup. | medium |
| CVE-2025-24898 | rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `sever` buffer's lifetime is shorter than the `client` buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client. The crate`openssl` version 0.10.70 fixes the signature of `ssl::select_next_proto` to properly constrain the output buffer's lifetime to that of both input buffers. Users are advised to upgrade. In standard usage of `ssl::select_next_proto` in the callback passed to `SslContextBuilder::set_alpn_select_callback`, code is only affected if the `server` buffer is constructed *within* the callback. | medium |
| CVE-2024-57967 | PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 has potentially elevated privileges in LDAP mapping. | medium |
| CVE-2024-57362 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-54840. Reason: This candidate is a reservation duplicate of CVE-2024-54840. Notes: All CVE users should reference CVE-2024-54840 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | No Score |
| CVE-2024-57175 | A Stored Cross-Site Scripting (XSS) vulnerability was identified in the PHPGURUKUL Online Birth Certificate System v1.0 via the profile name to /user/certificate-form.php. | medium |
| CVE-2024-56161 | Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP. | high |
| CVE-2024-54840 | PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 does not properly address environment issues that can contribute to Host header injection. | medium |
| CVE-2024-53943 | An issue was discovered in NRadio N8-180 NROS-1.9.2.n3.c5 devices. The /cgi-bin/luci/nradio/basic/radio endpoint is vulnerable to XSS via the 2.4 GHz and 5 GHz name parameters, allowing an attacker to execute JavaScript within the context of the current user by injecting JavaScript into the SSID field. If an administrator logs into the device, the injected script runs in their browser, executing the malicious payload. | medium |
| CVE-2024-53942 | An issue was discovered on NRadio N8-180 NROS-1.9.2.n3.c5 devices. The /cgi-bin/luci/nradio/basic/radio endpoint is vulnerable to command injection via the 2.4 GHz and 5 GHz name parameters, allowing a remote attacker to execute arbitrary OS commands on the device (with root-level permissions) via crafted input. | critical |
| CVE-2024-36437 | The com.enflick.android.TextNow (aka TextNow: Call + Text Unlimited) application 24.17.0.2 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.enflick.android.TextNow.activities.DialerActivity component. | No Score |
| CVE-2024-55456 | lunasvg v3.0.1 was discovered to contain a segmentation violation via the component gray_find_cell | medium |
| CVE-2024-49843 | Memory corruption while processing IOCTL from user space to handle GPU AHB bus error. | high |
| CVE-2024-49840 | Memory corruption while Invoking IOCTL calls from user-space to validate FIPS encryption or decryption functionality. | high |
| CVE-2024-49839 | Memory corruption during management frame processing due to mismatch in T2LM info element. | high |
| CVE-2024-49838 | Information disclosure while parsing the OCI IE with invalid length. | high |
| CVE-2024-49837 | Memory corruption while reading CPU state data during guest VM suspend. | high |
| CVE-2024-49834 | Memory corruption while power-up or power-down sequence of the camera sensor. | high |
| CVE-2024-49833 | Memory corruption can occur in the camera when an invalid CID is used. | high |
| CVE-2024-49832 | Memory corruption in Camera due to unusually high number of nodes passed to AXI port. | high |
| CVE-2024-45584 | Memory corruption can occur when a compat IOCTL call is followed by a normal IOCTL call from userspace. | high |
| CVE-2024-45582 | Memory corruption while validating number of devices in Camera kernel . | high |
| CVE-2024-45573 | Memory corruption may occour while generating test pattern due to negative indexing of display ID. | high |
| CVE-2024-45571 | Memory corruption may occour occur when stopping the WLAN interface after processing a WMI command from the interface. | high |
| CVE-2024-45569 | Memory corruption while parsing the ML IE due to invalid frame content. | critical |
| CVE-2024-45561 | Memory corruption while handling IOCTL call from user-space to set latency level. | high |
| CVE-2024-45560 | Memory corruption while taking a snapshot with hardware encoder due to unvalidated userspace buffer. | high |
| CVE-2024-38420 | Memory corruption while configuring a Hypervisor based input virtual device. | high |
| CVE-2024-38418 | Memory corruption while parsing the memory map info in IOCTL calls. | high |
| CVE-2024-38417 | Information disclosure while processing IO control commands. | medium |
| CVE-2024-38416 | Information disclosure during audio playback. | medium |
| CVE-2024-38414 | Information disclosure while processing information on firmware image during core initialization. | medium |
| CVE-2024-38413 | Memory corruption while processing frame packets. | medium |
| CVE-2024-38412 | Memory corruption while invoking IOCTL calls from user-space to kernel-space to handle session errors. | medium |
| CVE-2024-38411 | Memory corruption while registering a buffer from user-space to kernel-space using IOCTL calls. | medium |
| CVE-2024-38404 | Transient DOS when registration accept OTA is received with incorrect ciphering key data IE in modem. | high |
| CVE-2025-24781 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WPJobBoard allows Reflected XSS. This issue affects WPJobBoard: from n/a through 5.10.1. | high |
| CVE-2025-24707 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3 Photo Gallery Photo Gallery - GT3 Image Gallery & Gutenberg Block Gallery allows Reflected XSS. This issue affects Photo Gallery - GT3 Image Gallery & Gutenberg Block Gallery: from n/a through 2.7.7.24. | high |
| CVE-2025-24697 | Missing Authorization vulnerability in Realwebcare Image Gallery – Responsive Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Gallery – Responsive Photo Gallery: from n/a through 1.0.5. | medium |
| CVE-2025-24684 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ederson Peka Media Downloader allows Reflected XSS. This issue affects Media Downloader: from n/a through 0.4.7.5. | high |
| CVE-2025-24676 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metatagg Inc Custom WP Store Locator allows Reflected XSS. This issue affects Custom WP Store Locator: from n/a through 1.4.7. | high |
| CVE-2025-24661 | Deserialization of Untrusted Data vulnerability in MagePeople Team Taxi Booking Manager for WooCommerce allows Object Injection. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 1.1.8. | critical |
| CVE-2025-24660 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wp.insider Simple Membership Custom Messages allows Reflected XSS. This issue affects Simple Membership Custom Messages: from n/a through 2.4. | high |
