Total
5649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-67164 | 1 Pagekit | 1 Pagekit | 2026-01-02 | N/A | 9.9 CRITICAL |
| An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file. | |||||
| CVE-2025-15437 | 2026-01-02 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing manipulation of the argument REQUEST_URI results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. Upgrading to version 6.1.26 and 6.3 is able to mitigate this issue. The patch is named 264ac5b2be5b3c673ebd8cb862e673f5d300d9a7. The affected component should be upgraded. | |||||
| CVE-2025-67748 | 1 Trailofbits | 1 Fickling | 2026-01-02 | N/A | 7.8 HIGH |
| Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by `pty` missing from the block list of unsafe module imports. This led to unsafe pickles based on `pty.spawn()` being incorrectly flagged as `LIKELY_SAFE`, and was fixed in version 0.1.6. This impacted any user or system that used Fickling to vet pickle files for security issues. | |||||
| CVE-2025-15374 | 1 Eyoucms | 1 Eyoucms | 2026-01-02 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was detected in EyouCMS up to 1.7.7. The affected element is an unknown function of the file application/home/model/Ask.php of the component Ask Module. Performing manipulation of the argument content results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8". | |||||
| CVE-2021-47735 | 1 Cmsimple | 1 Cmsimple | 2025-12-31 | N/A | 8.8 HIGH |
| CMSimple 5.4 contains an authenticated remote code execution vulnerability that allows logged-in attackers to inject malicious PHP code into template files. Attackers can exploit the template editing functionality by crafting a reverse shell payload and saving it through the template editing endpoint with a valid CSRF token. | |||||
| CVE-2025-13592 | 2025-12-31 | N/A | 7.2 HIGH | ||
| The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the 'change-ad__content' shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server. | |||||
| CVE-2025-14509 | 2025-12-31 | N/A | 7.2 HIGH | ||
| The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments. | |||||
| CVE-2025-15249 | 2025-12-31 | 4.0 MEDIUM | 3.5 LOW | ||
| A weakness has been identified in zhujunliang3 work_platform up to 6bc5a50bb527ce27f7906d11ea6ec139beb79c31. This vulnerability affects unknown code of the component Content Handler. Executing manipulation can lead to cross site scripting. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2025-15248 | 2025-12-31 | 4.0 MEDIUM | 3.5 LOW | ||
| A security flaw has been discovered in sunhailin12315 product-review 商品评价系统 up to 91ead6890b4065bb45b7602d0d73348e75cb4639. This affects an unknown part of the component Write a Review. Performing manipulation of the argument content results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. This product adopts a rolling release strategy to maintain continuous delivery The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2025-15250 | 2025-12-31 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A security vulnerability has been detected in 08CMS Novel System up to 3.4. This issue affects some unknown processing of the file admina/mtpls.inc.php of the component Template Handler. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2019-25262 | 2025-12-31 | 4.0 MEDIUM | 3.5 LOW | ||
| A security vulnerability has been detected in elinicksic Razgover up to db37dfc5c82f023a40f2f7834ded6633fb2b5262. This affects an unknown part of the file Chattify/send.php of the component Chat Message Handler. Such manipulation of the argument msg leads to cross site scripting. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The name of the patch is 995dd89d0e3ec5522966724be23a5d58ca1bdac3. Applying a patch is advised to resolve this issue. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-15188 | 1 Campcodes | 1 Online Beauty Parlor Management System | 2025-12-31 | 3.3 LOW | 2.4 LOW |
| A vulnerability was determined in Campcodes Complete Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/search-invoices.php. Executing manipulation of the argument searchdata can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-15094 | 1 Sunkaifei | 1 Flycms | 2025-12-31 | 5.0 MEDIUM | 4.3 MEDIUM |
| A weakness has been identified in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The impacted element is the function userLogin of the file src/main/java/com/flycms/web/front/UserController.java of the component User Login. Executing manipulation of the argument redirectUrl can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2025-15093 | 1 Sunkaifei | 1 Flycms | 2025-12-31 | 5.0 MEDIUM | 4.3 MEDIUM |
| A security flaw has been discovered in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The affected element is an unknown function of the file src/main/java/com/flycms/web/system/IndexAdminController.java of the component Admin Login. Performing manipulation of the argument redirectUrl results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15052 | 1 Fabian | 1 Student Information System | 2025-12-30 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was detected in code-projects Student Information System 1.0. This vulnerability affects unknown code of the file /profile.php. Performing manipulation of the argument firstname/lastname results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. | |||||
| CVE-2025-65829 | 1 Meatmeet | 2 Meatmeet Pro Wifi \& Bluetooth Meat Thermometer, Meatmeet Pro Wifi \& Bluetooth Meat Thermometer Firmware | 2025-12-30 | N/A | 6.8 MEDIUM |
| The ESP32 system on a chip (SoC) that powers the Meatmeet basestation device was found to lack Secure Boot. The Secure Boot feature ensures that only authenticated software can execute on the device. The Secure Boot process forms a chain of trust by verifying all mutable software entities involved in the Application Startup Flow. As a result, an attacker with physical access to the device can flash modified firmware to the device, resulting in the execution of malicious code upon startup. | |||||
| CVE-2025-14856 | 1 Ruoyi | 1 Ruoyi | 2025-12-30 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in y_project RuoYi up to 4.8.1. The affected element is an unknown function of the file /monitor/cache/getnames. Such manipulation of the argument fragment leads to code injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-14837 | 1 Zzcms | 1 Zzcms | 2025-12-30 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability has been found in ZZCMS 2025. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-14991 | 1 Campcodes | 1 Complete Online Beauty Parlor Management System | 2025-12-30 | 3.3 LOW | 2.4 LOW |
| A weakness has been identified in Campcodes Complete Online Beauty Parlor Management System 1.0. The affected element is an unknown function of the file /admin/bwdates-reports-details.php. Executing manipulation of the argument fromdate can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-14962 | 1 Carmelo | 1 Simple Stock System | 2025-12-30 | 5.0 MEDIUM | 4.3 MEDIUM |
| A flaw has been found in code-projects Simple Stock System 1.0. The impacted element is an unknown function of the file /market/chatuser.php. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. | |||||