- CVE-2022-40285 - Apache HTTP Server Command Injection Vulnerability
- CVE-2025-56392 - Syaqui Collegetivity IDOR Vulnerability
- CVE-2025-36132 - IBM Planning Analytics Local cross-site scripting
- CVE-2025-36262 - IBM Planning Analytics Local information disclosure
- CVE-2024-55017 - Corezoid OAuth2 Open Redirect Account Takeover
- CVE-2025-10659 - MegaSys Enterprises Telenium Online Web Application OS Command Injection
- CVE-2025-56132 - LiquidFiles User Enumeration Vulnerability
- CVE-2025-43827 - Liferay Portal Liferay DXP IDOR Audit Events Vulnerability
- CVE-2025-57254 - Karthikg1908 Hospital Management System (HMS) SQL Injection Vulnerability
- CVE-2025-56200 - Validator.js URL Validation Bypass Cross-Site Scripting and Open Redirect Vulnerability
- CVE-2025-56513 - NiceHash QuickMiner Unvalidated HTTP Updates Remote Code Execution
- CVE-2025-56675 - EKEN Video Doorbell T6 Wi-Fi Information Disclosure
- CVE-2025-11195 - Rapid7 AppSpider Project Name Validation Bypass
- CVE-2025-23291 - NVIDIA Delegated Licensing Service Unauthorized Action Information Disclosure
- CVE-2025-23292 - NVIDIA Delegated Licensing Service SQL Injection Vulnerability
- CVE-2025-23293 - NVIDIA Delegated Licensing Service Privilege Escalation Information Disclosure Vulnerability
- CVE-2025-10725 - Openshift-ai: overly permissive clusterrole allows authenticated users to escalate privileges to cluster admin
- CVE-2025-56207 - Money Making Opportunity (MMO) ERC721 NFT Transfer to Zero Address Vulnerability
- CVE-2025-56520 - Dify SSRF
- CVE-2025-56676 - TitanSystems Zender Account Takeover Vulnerability
- CVE-2025-6033 - Memory Corruption issue in XML_Serialize() in NI Circuit Design Suite
- CVE-2025-6034 - Out of Bounds Read in DefaultFontOptions() in NI Circuit Design Suite
- CVE-2025-56572 - Adobe Finance JavaScript Zero-Days Denial of Service
- CVE-2025-54476 - Joomla! Core - [20250901] Inadequate content filtering within the checkAttribute filter code
- CVE-2025-54477 - Joomla! Core - [20250902] User-Enumeration in passkey authentication method
- CVE-2025-55797 - FormCms Unauthenticated Historical Schema Data Access
- CVE-2025-56018 - SourceCodester Web-based Pharmacy Product Management System XSS in Category Name Field
- CVE-2025-56571 - Finance.js Denial of Service (DoS)
- CVE-2025-57852 - Openshift-ai: privilege escalation via excessive /etc/passwd permissions
- CVE-2025-56301 - Rocket-Chip CSR Logic Exception Handling Privilege State Transition Corruption
- CVE-2025-28016 - PHPGurukul User Registration & Login and User Management System XSS
- CVE-2025-11178 - Acronis True Image DLL Hijacking Vulnerability
- CVE-2025-52047 - ErpNext Frappe SQL Injection
- CVE-2025-52049 - ErpNext Timesheet SQL Injection Vulnerability
- CVE-2025-52050 - ERPNext Loyalty Program SQL Injection
- CVE-2025-52043 - ERPNext SQL Injection Vulnerability
- CVE-2025-9232 - Out-of-bounds read in HTTP client no_proxy handling
- CVE-2025-9231 - Timing side-channel in SM2 algorithm on 64 bit ARM
- CVE-2025-9230 - Out-of-bounds read & write in RFC 3211 KEK Unwrap
- CVE-2025-10217 - Apache Asset Suite Log Injection Vulnerability
- CVE-2025-10859 - Firefox for iOS Browser Private Data Disclosure
- CVE-2025-11152 - Mozilla Firefox Denial of Service
- CVE-2025-11153 - Mozilla Firefox Use-After-Free Vulnerability
- CVE-2025-34217 - Vasion Print (formerly PrinterLogic) Undocumented Hardcoded SSH Key
- CVE-2025-8777 - planetcalc <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via language Parameter
- CVE-2025-8877 - AffiliateWP <= 2.28.2 - Unauthenticated SQL Injection
- CVE-2025-8122 - Blind SQL Injection in PAD CMS
- CVE-2025-8214 - The Pack Elementor addon <= 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typing Letter Widget
- CVE-2025-8566 - GutenBee – Gutenberg Blocks <= 2.18.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
- CVE-2025-10196 - WordPress Survey Anyplace Stored Cross-Site Scripting
- CVE-2025-11149 - Node-Static Null Byte Directory Traversal
- CVE-2025-8559 - WordPress All in One Music Player Path Traversal Vulnerability
- CVE-2025-10130 - WordPress Layers Stored Cross-Site Scripting Vulnerability
- CVE-2025-11163 - SmartCrawl WordPress Unauthorized Data Modification Vulnerability
- CVE-2025-10131 - WordPress All Social Share Options Stored Cross-Site Scripting
- CVE-2025-8560 - WordPress FancyTabs Stored Cross-Site Scripting Vulnerability
- CVE-2025-10179 - WordPress My AskAI Stored Cross-Site Scripting Vulnerability
- CVE-2025-10189 - WordPress BP Direct Menus Stored Cross-Site Scripting
- CVE-2025-9946 - "LockerPress – WordPress Security Plugin CSRF Vulnerability"
- CVE-2025-6941 - LatePoint WordPress Stored Cross-Site Scripting Vulnerability
- CVE-2025-8624 - Nexa Blocks WordPress Stored Cross-Site Scripting Vulnerability
- CVE-2025-8608 - Elementor Yandex Maps WordPress Stored Cross-Site Scripting
- CVE-2025-9852 - Momoyoga Yoga Schedule WordPress Stored Cross-Site Scripting Vulnerability
- CVE-2025-10128 - Eulerpool Research Systems WordPress Stored Cross-Site Scripting
- CVE-2025-6815 - LatePoint - WordPress Calendar Booking Plugin Stored Cross-Site Scripting Vulnerability
- CVE-2025-10191 - WooCommerce Big Post Shipping Stored Cross-Site Scripting Vulnerability
- CVE-2025-10000 - Qyrr WordPress Arbitrary File Upload Vulnerability
- CVE-2025-9948 - Chatwee WordPress CSRF
- CVE-2025-59668 - "Central Monitor CNS-6201 NULL Pointer Dereference Vulnerability"
- CVE-2025-8623 - WeedMaps Menu for WordPress Stored Cross-Site Scripting Vulnerability
- CVE-2025-61584 - serverless-dns is vulnerable to Command Injection through pr.yml GitHub Action Workflow
- CVE-2025-10991 - Root Access via UART
- CVE-2025-59956 - AgentAPI exposed user chat history via a DNS rebinding attack
- CVE-2024-58040 - Crypt::RandomEncryption for Perl uses insecure rand() function during encryption
- CVE-2025-59954 - Knowage Contains a Remote Code Execution Vulnerability
- CVE-2025-59952 - minio-java Client XML Tag is Vulnerable to Value Substitution
- CVE-2025-59950 - FreshRSS: Double clickjacking can lead to privilege escalation
- CVE-2025-59948 - FreshRSS is vulnerable to XSS due to lack of CSP on HTML query page
- CVE-2025-59941 - go-f3 is Vulnerable to Cached Justification Verification Bypass
- CVE-2025-59942 - go-f3 module vulnerable to integer overflow leading to panic
- CVE-2025-43812 - Liferay Portal Liferay DXP Cross-Site Scripting (XSS) Vulnerability
- CVE-2025-43813 - Liferay Portal and DXP Path Traversal and Denial-of-Service Vulnerability
- CVE-2025-43817 - Liferay Portal/Cross-Site Scripting (XSS)
- CVE-2025-59940 - mkdocs-include-markdown-plugin susceptible to unvalidated input colliding with substitution placeholders
- CVE-2025-61586 - FreshRSS is vulnerable to directory enumeration by setting path in its theme field
- CVE-2025-43820 - Liferay Portal Liferay DXP Calendar Widget XSS Vulnerability
- CVE-2025-59163 - vet MCP Server SSE Transport DNS Rebinding Vulnerability
- CVE-2025-57769 - FressRSS: Clickjacking can lead to XSS and/or privilege escalation
- CVE-2025-59933 - libvips is vulnerable to Buffer Over-Read in poppler-based pdfload
- CVE-2025-43818 - Liferay Portal Liferay DXP XSS
- CVE-2025-43811 - Liferay Portal and DXP Stored XSS Vulnerability
- CVE-2025-54592 - FreshRSS has Incomplete Session Termination on Logout
- CVE-2025-43815 - Liferay Portal Liferay DXP Cross-Site Scripting (XSS)
- CVE-2025-57266 - ThriveX Blogging Framework API Key Disclosure Vulnerability
- CVE-2025-34232 - Vasion Print (formerly PrinterLogic) Blind SSRF via Lexmark dellCheck.php
- CVE-2025-34233 - Vasion Print (formerly PrinterLogic) Insecure Use of file_get_contents()
- CVE-2025-34234 - Vasion Print (formerly PrinterLogic) Hardcoded Encryption Private Keys
- CVE-2025-34235 - Vasion Print (formerly PrinterLogic) Weak SSL/TLS Certificate Validation RCE
- CVE-2025-45376 - Dell Repository Manager (DRM) Elevation of Privileges Vulnerability
- CVE-2025-54591 - FreshRSS: Unauthenticated users can view default user's information
Franck Ridel
