Total
318437 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-40108 | 1 Linux | 1 Linux Kernel | 2025-11-12 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: serial: qcom-geni: Fix blocked task Revert commit 1afa70632c39 ("serial: qcom-geni: Enable PM runtime for serial driver") and its dependent commit 86fa39dd6fb7 ("serial: qcom-geni: Enable Serial on SA8255p Qualcomm platforms") because the first one causes regression - hang task on Qualcomm RB1 board (QRB2210) and unable to use serial at all during normal boot: INFO: task kworker/u16:0:12 blocked for more than 42 seconds. Not tainted 6.17.0-rc1-00004-g53e760d89498 #9 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u16:0 state:D stack:0 pid:12 tgid:12 ppid:2 task_flags:0x4208060 flags:0x00000010 Workqueue: async async_run_entry_fn Call trace: __switch_to+0xe8/0x1a0 (T) __schedule+0x290/0x7c0 schedule+0x34/0x118 rpm_resume+0x14c/0x66c rpm_resume+0x2a4/0x66c rpm_resume+0x2a4/0x66c rpm_resume+0x2a4/0x66c __pm_runtime_resume+0x50/0x9c __driver_probe_device+0x58/0x120 driver_probe_device+0x3c/0x154 __driver_attach_async_helper+0x4c/0xc0 async_run_entry_fn+0x34/0xe0 process_one_work+0x148/0x290 worker_thread+0x2c4/0x3e0 kthread+0x118/0x1c0 ret_from_fork+0x10/0x20 The issue was reported on 12th of August and was ignored by author of commits introducing issue for two weeks. Only after complaining author produced a fix which did not work, so if original commits cannot be reliably fixed for 5 weeks, they obviously are buggy and need to be dropped. | ||||
| CVE-2025-40109 | 1 Linux | 1 Linux Kernel | 2025-11-12 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: crypto: rng - Ensure set_ent is always present Ensure that set_ent is always set since only drbg provides it. | ||||
| CVE-2025-12621 | 2 Wordpress, Wpdesk | 2 Wordpress, Flexible Refund And Return Order For Woocommerce | 2025-11-12 | 5.3 Medium |
| The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds. | ||||
| CVE-2025-64681 | 1 Jetbrains | 1 Hub | 2025-11-12 | 2.7 Low |
| In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations | ||||
| CVE-2025-64682 | 1 Jetbrains | 1 Hub | 2025-11-12 | 2.7 Low |
| In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit | ||||
| CVE-2025-63147 | 1 Tenda | 1 Ax3 | 2025-11-12 | N/A |
| Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the deviceId parameter of the saveParentControlInfo function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | ||||
| CVE-2025-63455 | 1 Tenda | 1 Ax3 | 2025-11-12 | 7.5 High |
| Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow via the shareSpeed parameter in the fromSetWifiGusetBasic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | ||||
| CVE-2025-64683 | 1 Jetbrains | 1 Hub | 2025-11-12 | 5.3 Medium |
| In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API | ||||
| CVE-2025-64686 | 1 Jetbrains | 1 Youtrack | 2025-11-12 | 3.1 Low |
| In JetBrains YouTrack before 2025.3.104432 missing user principal cleanup led to reuse of incorrect authorization context | ||||
| CVE-2025-12092 | 1 Wordpress | 1 Wordpress | 2025-11-12 | 6.5 Medium |
| The CYAN Backup plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete' functionality in all versions up to, and including, 2.5.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-12498 | 2 Metagauss, Wordpress | 2 Eventprime, Wordpress | 2025-11-12 | 4.3 Medium |
| The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized booking note creation due to a missing capability check on the 'booking_add_notes' function in all versions up to, and including, 4.2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add a note to the backend view of any booking. | ||||
| CVE-2025-12064 | 2 F1logic, Wordpress | 2 Wpsocial Auto Publish, Wordpress | 2025-11-12 | 6.1 Medium |
| The WP2Social Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-12726 | 2 Google, Microsoft | 2 Chrome, Windows | 2025-11-12 | 7.5 High |
| Inappropriate implementation in Views in Google Chrome on Windows prior to 142.0.7444.137 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2025-12725 | 1 Google | 2 Android, Chrome | 2025-11-12 | 4.3 Medium |
| Out of bounds read in WebGPU in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2025-33150 | 1 Ibm | 1 Cognos Analytics | 2025-11-12 | 5.3 Medium |
| IBM Cognos Analytics Certified Containers 12.1.0 could disclose package parameter information due to the presence of hidden pages. | ||||
| CVE-2025-42890 | 1 Sap | 1 Sql Anywhere | 2025-11-12 | 10 Critical |
| SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system. | ||||
| CVE-2025-47932 | 1 Combodo | 1 Itop | 2025-11-12 | 8.8 High |
| Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is rendered via an AJAX call. Versions 2.7.13 and 3.2.2 sanitize the var responsible for the attack. | ||||
| CVE-2025-11748 | 1 Wordpress | 1 Wordpress | 2025-11-12 | 4.3 Medium |
| The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode. | ||||
| CVE-2025-62780 | 1 Dgtlmoon | 1 Changedetection.io | 2025-11-12 | 3.5 Low |
| changedetection.io is a free open source web page change detection tool. A Stored Cross Site Scripting is present in changedetection.io Watch update API in versions prior to 0.50.34 due to insufficient security checks. Two scenarios are possible. In the first, an attacker can insert a new watch with an arbitrary URL which really points to a web page. Once the HTML content is retrieved, the attacker updates the URL with a JavaScript payload. In the second, an attacker substitutes the URL in an existing watch with a new URL that is in reality a JavaScript payload. When the user clicks on *Preview* and then on the malicious link, the JavaScript malicious code is executed. Version 0.50.34 fixes the issue. | ||||
| CVE-2025-63834 | 1 Tenda | 1 Ac18 | 2025-11-12 | N/A |
| A stored cross-site scripting (XSS) vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the ssid parameter of the wireless settings. Remote attackers can inject malicious payloads that execute when any user visits the router's homepage. | ||||