Common Vulnerabilities and Exposures (CVE)

CVE-2025-13378

Dec 3, 2025 17:08:53 UTC

The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_upsert function. This makes it possible for ...

CVE-2025-65843

Dec 3, 2025 17:04:48 UTC

Aquarius Desktop 3.0.069 for macOS contains an insecure file handling vulnerability in its support data archive generation feature. The application follows symbolic links placed inside the ~/Library/Logs/Aquarius directory and treats them a...

CVE-2024-44373

Dec 3, 2025 16:59:34 UTC

A Path Traversal vulnerability in AllSky v2023.05.01 through v2024.12.06_06 allows an unauthenticated attacker to create a webshell and remote code execution via the path, content parameter to /includes/save_file.php.

CVE-2025-66431

Dec 3, 2025 16:54:31 UTC

WebPros Plesk before 18.0.73.5 and 18.0.74 before 18.0.74.2 on Linux allows remote authenticated users to execute arbitrary code as root via domain creation. The attacker needs "Create and manage sites" with "Domains management" and "Subdom...

CVE-2024-32642

Dec 3, 2025 16:50:44 UTC

Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8,...

CVE-2025-12185

Dec 3, 2025 16:47:12 UTC

The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authentica...

CVE-2025-65238

Dec 3, 2025 16:45:34 UTC

Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information.

CVE-2025-10230

Dec 3, 2025 16:43:03 UTC

A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted i...

CVE-2025-7044

Dec 3, 2025 16:42:52 UTC

An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update websocket request and inject the is_superuser property set to true. The server impr...

CVE-2025-65622

Dec 3, 2025 16:38:25 UTC

Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.

CVE-2025-59890

Dec 3, 2025 16:35:27 UTC

Improper input sanitization in the file archives upload functionality of Eaton Galileo software allows traversing paths which could lead into an attacker with local access to execute unauthorized code or commands. This security issue has be...

CVE-2025-30190

Dec 3, 2025 16:34:44 UTC

Malicious content at office documents can be used to inject script code when editing a document. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the prov...

CVE-2025-55076

Dec 3, 2025 16:34:25 UTC

A local privilege escalation vulnerability exists in the InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 for macOS. The service accepts unauthenticated XPC connections and executes input via system(), wh...

CVE-2025-62686

Dec 3, 2025 16:33:29 UTC

A local privilege escalation vulnerability exists in the Plugin Alliance InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 on macOS. Due to the absence of a hardened runtime and a __RESTRICT segment, a loc...

CVE-2025-13751

Dec 3, 2025 16:32:26 UTC

Interactive service agent in OpenVPN version 2.5.0 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.