Total
320300 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13949 | 1 Proudmubai | 1 Gofilm | 2025-12-04 | 6.3 Medium |
| A vulnerability was identified in ProudMuBai GoFilm 1.0.0/1.0.1. Impacted is the function SingleUpload of the file /server/controller/FileController.go. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12887 | 2 Saadiqbal, Wordpress | 2 Post Smtp, Wordpress | 2025-12-04 | 5.4 Medium |
| The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the 'handle_gmail_oauth_redirect' function. This makes it possible for authenticated attackers, with subscriber level access and above, to inject invalid or attacker-controlled OAuth credentials. | ||||
| CVE-2025-20383 | 1 Splunk | 3 Splunk Cloud Platform, Splunk Enterprise, Splunk Secure Gateway | 2025-12-04 | 4.3 Medium |
| In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description of the report or alert even if they do not have access to view the report or alert. | ||||
| CVE-2025-13751 | 2 Microsoft, Openvpn | 2 Windows, Openvpn | 2025-12-04 | N/A |
| Interactive service agent in OpenVPN version 2.5.0 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service. | ||||
| CVE-2025-13390 | 2 Listingthemes, Wordpress | 2 Wpdirectory Kit, Wordpress | 2025-12-04 | 10 Critical |
| The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token. | ||||
| CVE-2025-55076 | 2 Apple, Plugin Alliance | 2 Macos, Installation Manager | 2025-12-04 | 6.2 Medium |
| A local privilege escalation vulnerability exists in the InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 for macOS. The service accepts unauthenticated XPC connections and executes input via system(), which may allow a local user to execute arbitrary commands with root privileges. | ||||
| CVE-2025-57200 | 1 Avtech | 1 Dgm1104 | 2025-12-04 | 6.5 Medium |
| AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the test_mail function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | ||||
| CVE-2025-65842 | 2 Acusticaudio, Apple | 2 Aquarius Helpertool, Macos | 2025-12-04 | N/A |
| The Aquarius HelperTool (1.0.003) privileged XPC service on macOS contains multiple flaws that allow local privilege escalation. The service accepts XPC connections from any local process without validating the client's identity, and its authorization logic incorrectly calls AuthorizationCopyRights with a NULL reference, causing all authorization checks to succeed. The executeCommand:authorization:withReply: method then interpolates attacker-controlled input into NSTask and executes it with root privileges. A local attacker can exploit these weaknesses to run arbitrary commands as root, create persistent backdoors, or obtain a fully interactive root shell. | ||||
| CVE-2025-20388 | 1 Splunk | 2 Splunk Cloud Platform, Splunk Enterprise | 2025-12-04 | 2.7 Low |
| In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment. | ||||
| CVE-2025-53841 | 2 Akamai, Microsoft | 2 Guardicore Platform Agent, Windows | 2025-12-04 | 7.8 High |
| Akamai Guardicore Platform Agent before 52.1.1 allows an unprivileged user to fully elevate privileges to SYSTEM. This affects versions before 50.15.0, 51.12.0, and 52.1.1. | ||||
| CVE-2025-13354 | 1 Wordpress | 1 Wordpress | 2025-12-04 | 4.3 Medium |
| The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "taxopress_merge_terms_batch" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms. | ||||
| CVE-2025-57201 | 1 Avtech | 1 Dgm1104 | 2025-12-04 | 8.8 High |
| AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | ||||
| CVE-2024-32641 | 1 Masacms | 1 Masacms | 2025-12-04 | 9.8 Critical |
| Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6. | ||||
| CVE-2025-66032 | 1 Anthropics | 1 Claude Code | 2025-12-04 | N/A |
| Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93. | ||||
| CVE-2025-7044 | 1 Canonical | 1 Maas | 2025-12-04 | 7.7 High |
| An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update websocket request and inject the is_superuser property set to true. The server improperly validates this input, allowing the attacker to self-promote to an administrator role. This results in full administrative control over the MAAS deployment. | ||||
| CVE-2025-20382 | 1 Splunk | 2 Splunk Cloud Platform, Splunk Enterprise | 2025-12-04 | 3.5 Low |
| In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. | ||||
| CVE-2025-65841 | 2 Acusticaudio, Apple | 2 Aquarius Desktop, Macos | 2025-12-04 | N/A |
| Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in the local file ~/Library/Application Support/Aquarius/aquarius.settings using a weak obfuscation scheme. The password is "encrypted" through predictable byte-substitution that can be trivially reversed, allowing immediate recovery of the plaintext value. Any attacker who can read this settings file can fully compromise the victim's Aquarius account by importing the stolen configuration into their own client or login through the vendor website. This results in complete account takeover, unauthorized access to cloud-synchronized data, and the ability to perform authenticated actions as the user. | ||||
| CVE-2025-13787 | 2 Easycorp, Zentao | 2 Zentao, Zentao | 2025-12-04 | 5.4 Medium |
| A flaw has been found in ZenTao up to 21.7.6-8564. The affected element is the function file::delete of the file module/file/control.php of the component File Handler. Executing manipulation of the argument fileID can lead to improper privilege management. It is possible to launch the attack remotely. Upgrading to version 21.7.7 is sufficient to fix this issue. You should upgrade the affected component. | ||||
| CVE-2025-57198 | 1 Avtech | 1 Dgm1104 | 2025-12-04 | 8.8 High |
| AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the Machine.cgi endpoint. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | ||||
| CVE-2025-66222 | 1 Thinkinai | 1 Deepchat | 2025-12-04 | 9.7 Critical |
| DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server. | ||||