| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MetricThemes Header Footer Composer for Elementor header-footer-composer allows DOM-Based XSS.This issue affects Header Footer Composer for Elementor: from n/a through <= 1.0.4. |
| Cross-Site Request Forgery (CSRF) vulnerability in Lars Schenk Responsive Flickr Gallery responsive-flickr-gallery allows Stored XSS.This issue affects Responsive Flickr Gallery: from n/a through <= 1.3.1. |
| Cross-Site Request Forgery (CSRF) vulnerability in bnielsen Affiliate Disclosure Statement affiliate-disclosure-statement allows Cross Site Request Forgery.This issue affects Affiliate Disclosure Statement: from n/a through <= 0.3. |
| Cross-Site Request Forgery (CSRF) vulnerability in Sam Hoe SH Slideshow sh-slideshow allows Stored XSS.This issue affects SH Slideshow: from n/a through <= 4.3. |
| Cross-Site Request Forgery (CSRF) vulnerability in a.ankit Webriti Custom Login webriti-custom-login-page allows Reflected XSS.This issue affects Webriti Custom Login: from n/a through <= 0.3. |
| ASUS routers supporting custom OpenVPN profiles are vulnerable to a code execution vulnerability. An authenticated and remote attacker can execute arbitrary operating system commands by uploading a crafted OVPN profile. Known affected routers include ASUS ExpertWiFi, ASUS RT-AX55, ASUS RT-AX58U, ASUS RT-AC67U, ASUS RT-AC68R, ASUS RT-AC68U, ASUS RT-AX86, ASUS RT-AC86U, ASUS RT-AX88U, and ASUS RT-AX3000. |
| Cross-Site Request Forgery (CSRF) vulnerability in Garmur While Loading while-it-is-loading allows Stored XSS.This issue affects While Loading: from n/a through <= 3.0. |
| The Lafka Plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_options_upload' AJAX function in all versions up to, and including, 7.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the theme option that overrides the site. |
| A weakness has been identified in UGREEN DH2100+ up to 5.3.0.251125. This affects the function handler_file_backup_create of the file /v1/file/backup/create of the component nas_svr. Executing a manipulation of the argument path can lead to buffer overflow. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. It is recommended to upgrade the affected component. |
| Uncontrolled resource consumption vulnerability in XAMPP Windows, versions 7.3.2 and earlier. This vulnerability exists when XAMPP attempts to process many incomplete HTTP requests, resulting in resource consumption and system crashes. |
| The Contact Form 7 AWeber Extension plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_aweber_logreset' AJAX endpoint in all versions up to, and including, 0.1.42. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the AWeber logs. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steven Nolles Bonway Static Block Editor bonway-static-block-editor allows DOM-Based XSS.This issue affects Bonway Static Block Editor: from n/a through <= 1.1.0. |
| Lattice Semiconductor ispVM System v18.0.2 contains a buffer overflow vulnerability in its handling of .xcf project files. When parsing the version attribute of the ispXCF XML tag, the application fails to properly validate input length, allowing a specially crafted file to overwrite memory on the stack. This can result in arbitrary code execution under the context of the user who opens the file. The vulnerability is triggered locally by opening a malicious .xcf file and does not require elevated privileges. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AuburnForest DataMentor datamentor allows DOM-Based XSS.This issue affects DataMentor: from n/a through <= 1.7. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MicahBlu RSVP ME rsvp-me allows SQL Injection.This issue affects RSVP ME: from n/a through <= 1.9.9. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mudssar amazing neo icon font for elementor amazing-neo-icon-font-for-elementor allows DOM-Based XSS.This issue affects amazing neo icon font for elementor: from n/a through <= 2.0.1. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in overclokk Advanced Control Manager for WordPress by ItalyStrap advanced-control-manager allows Stored XSS.This issue affects Advanced Control Manager for WordPress by ItalyStrap: from n/a through <= 2.16.0. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in lodgix Lodgix.com Vacation Rental Website Builder lodgixcom-vacation-rental-listing-management-booking-plugin allows SQL Injection.This issue affects Lodgix.com Vacation Rental Website Builder: from n/a through <= 3.9.73. |
| EGallery version 1.2 contains an unauthenticated arbitrary file upload vulnerability in the uploadify.php script. The application fails to validate file types or enforce authentication, allowing remote attackers to upload malicious PHP files directly into the web-accessible egallery/ directory. This results in full remote code execution under the web server context. |
| AAT (Another Activity Tracker) is a GPS-tracking application for tracking sportive activities, with emphasis on cycling. Versions lower than v1.26 of AAT are vulnerable to data exfiltration from malicious apps installed on the same device. |
