New
CVE-2025-59131: WordPress WP-CalDav2ICS plugin <= 1.3.4 - Cross Site Request Forgery (CSRF) vulnerability: Cross-Site Request Forgery (CSRF) vulnerability in Hoernerfranz WP-CalDav2ICS allows Stored XSS.This issue affects WP-CalDav2ICS: from n/a through 1.3.4.
CVE-2022-50802: ETAP Safety Manager 1.0.0.32 Unauthenticated Reflected Cross-Site Scripting via Action Parameter: ETAP Safety Manager 1.0.0.32 contains a cross-site scripting vulnerability in the 'action' GET parameter that allows unauthenticated attackers to inject malicious HTML and JavaScript. Attackers can craft specially formed requests to execute arbitrary scripts in victim browser sessions, potentially ...
CVE-2025-15114: Ksenia Security Lares 4.0 Home Automation 1.6 PIN Exposure Vulnerability: Ksenia Security Lares 4.0 Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication.
CVE-2025-15113: Ksenia Security Lares 4.0 Home Automation 1.6 Remote Code Execution via MPFS Upload: Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automat...
CVE-2025-15112: Ksenia Security Lares 4.0 Home Automation 1.6 URL Redirection Vulnerability: Ksenia Security Lares 4.0 version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted ...
Updated
CVE-2025-7195: Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd: Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.1...
CVE-2025-15360: newbee-mall-plus Product Information Edit UploadController.java upload unrestricted upload: A vulnerability was determined in newbee-mall-plus 2.0.0. This impacts the function Upload of the file src/main/java/ltd/newbee/mall/controller/common/UploadController.java of the component Product Information Edit Page. This manipulation of the argument File causes unrestricted upload. The attack may be...
CVE-2025-15199: code-projects College Notes Uploading System userprofile.php unrestricted upload: A security vulnerability has been detected in code-projects College Notes Uploading System 1.0. Impacted is an unknown function of the file /dashboard/userprofile.php. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed ...
CVE-2025-14280: PixelYourSite <= 11.1.5 - Sensitive Information Exposure via Log File: The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" se...
CVE-2025-13592: Advanced Ads <= 2.0.14 - Authenticated (Editor+) Remote Code Execution via Shortcode: The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the 'change-ad__content' shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server.
CISA Known Exploited Vulnerabilities
CVE-2025-14847 MongoDB MongoDB and MongoDB Server: MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in Zlib compressed protocol headers. This vulnerability may allow a read of uninitialized heap memory by an unauthenticated client.
CVE-2023-52163 Digiever DS-2105 Pro: Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi.
CVE-2025-14733 WatchGuard Firebox: WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
CVE-2025-59374 ASUS Live Update: ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2025-20393 Cisco Multiple Products: Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.
