- CVE-2025-13094 - "WordPress WP3D Model Import Viewer Arbitrary File Upload Vulnerability"
- CVE-2025-14440 - JAY Login & Register Plugin WordPress Authentication Bypass Vulnerability
- CVE-2025-14475 - WordPress WPBakery Local File Inclusion Vulnerability
- CVE-2025-14397 - WordPress Postem Ipsum Privilege Escalation Vulnerability
- CVE-2025-11693 - WordPress Export WP Page to Static HTML & PDF Sensitive Information Exposure
- CVE-2025-14476 - WordPress Doubly - Cross Domain Copy Paste PHP Object Injection Vulnerability
- CVE-2025-13970 - OpenPLC_V3 Cross-Site Request Forgery
- CVE-2025-8083 - Vuetify Prototype Pollution via Preset options
- CVE-2025-14373 - Google Chrome Android Domain Spoofing Vulnerability
- CVE-2025-14572 - UTT 进取 512W formWebAuthGlobalConfig memory corruption
- CVE-2024-58305 - WonderCMS 4.3.2 Cross-Site Scripting Remote Code Execution via Module Installation
- CVE-2024-58311 - Dormakaba Saflok System 6000 Key Generation Cryptographic Weakness
- CVE-2024-58314 - Atcom 2.7.x.x Authenticated Command Injection via Web Configuration CGI
- CVE-2024-14010 - Typora 1.7.4 OS Command Injection via Export PDF Preferences
- CVE-2024-58299 - PCMan FTP Server 2.0 Remote Buffer Overflow via 'pwd' Command
- CVE-2024-58316 - Online Shopping System Advanced 1.0 SQL Injection via Payment Success Parameter
- CVE-2025-13733 - BuhoNTFS 1.3.2 - Local Privilege Escalation
- CVE-2025-36745 - SolarEdge SE3680H contains Linux Kernel vulnerabilities
- CVE-2025-36743 - SolarEdge SE3680H - Exposed Debug interface
- CVE-2025-13506 - Improper Authorization in Nebim Neyir's Nebim V3 ERP
- CVE-2025-23408 - Apache Fineract: weak password policy
- CVE-2025-67731 - Servify Express does not enforce rate limiting when parsing JSON
- CVE-2025-67728 - Fireshare Public Uploads feature is vulnerable to OS Command Injection (RCE)
- CVE-2025-67508 - gardenctl Gardener projects are vulnerable to Command Injection when used with non‑POSIX shells
- CVE-2025-14344 - Multi Uploader for Gravity Forms <= 1.1.7 - Unauthenticated Arbitrary File Deletion
- CVE-2025-14044 - Visitor Logic Lite <= 1.0.3 - Unauthenticated PHP Object Injection via 'lpblocks' Cookie
- CVE-2025-13334 - Blaze Demo Importer 1.0.0 - 1.0.13 - Missing Authorization to Authenticated (Subscriber+) Database Reset and File Deletion
- CVE-2025-12963 - LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart <= 1.2.29 - Missing Authorization to Uanuthenticated Privilege Escalation
- CVE-2025-12968 - Infility Global <= 2.14.23 - Authenticated (Subscriber+) Arbitrary File Upload
- CVE-2025-12824 - Player Leaderboard 1.0.0 - 1.0.2 - Authenticated (Contributor+) Local File Inclusion
- CVE-2025-10451 - H19Int15CallbackSmm: SMM memory corruption vulnerability in combined DXE/SMM (SMRAM write)
- CVE-2025-66450 - LibreChat JSON Injection in Chat POST Allows Remote Resource Inclusion and PXSS via Image Upload
- CVE-2025-66446 - MaxKB has a Python sandbox LD_PRELOAD bypass
- CVE-2025-64721 - Sandboxie's Integer Overflow in SbieIniServer::RC4Crypt allows sandbox escape and SYSTEM compromise
- CVE-2025-66419 - MaxKB vulnerable to privilege escalation through sandbox bypass
- CVE-2025-34506 - WBCE CMS 1.6.3 Authenticated Remote Code Execution via Module Upload
- CVE-2024-58309 - xbtitFM 4.1.18 Unauthenticated SQL Injection in shoutedit.php
- CVE-2024-58310 - APC Network Management Card 4 Path Traversal via Directory Traversal
- CVE-2024-58312 - xbtitFM 4.1.18 Unauthenticated Path Traversal in nfogen.php
- CVE-2024-58313 - xbtitFM 4.1.18 Insecure File Upload in file_hosting Feature
- CVE-2024-58306 - minaliC 2.0.0 Denial of Service Vulnerability via Large GET Request
- CVE-2024-58307 - CSZCMS 1.3.0 Authenticated SQL Injection via Members View Endpoint
- CVE-2024-58308 - Quick.CMS 6.7 SQL Injection Authentication Bypass via Admin Login
- CVE-2024-58300 - Siklu MultiHaul TG Series < 2.0.0 Unauthenticated Credential Disclosure Vulnerability
- CVE-2024-58301 - Purei CMS 1.0 SQL Injection via Multiple Vulnerable Endpoints
- CVE-2024-58298 - Compuware iStrobe Web 20.13 Pre-Auth Remote Code Execution via File Upload
- CVE-2024-58303 - FoF Pretty Mail 1.1.2 Server Side Template Injection via Email Template Settings
- CVE-2024-58293 - Akaunting 3.1.8 Server-Side Template Injection via Multiple Form Fields
- CVE-2024-58294 - FreePBX 16 Authenticated Remote Code Execution via API Module
- CVE-2024-58295 - ElkArte Forum 1.1.9 Authenticated Remote Code Execution via Theme Upload
- CVE-2024-58287 - reNgine 2.2.0 Authenticated Command Injection via Scan Engine Configuration
- CVE-2024-58288 - Genexus Protection Server 9.7.2.10 Unquoted Service Path Privilege Escalation
- CVE-2024-58290 - Xhibiter NFT Marketplace 1.10.2 SQL Injection via Collections Endpoint
- CVE-2024-58286 - dizqueTV 1.5.3 Remote Code Execution via FFMPEG Executable Path
- CVE-2025-14535 - UTT 进取 512W formConfigFastDirectionW strcpy buffer overflow
- CVE-2025-13481 - IBM Aspera Orchestrator Command Injection
- CVE-2025-13148 - IBM Aspera Orchestrator Unverified Password Change
- CVE-2025-14534 - UTT 进取 512W Endpoint formNatStaticMap strcpy buffer overflow
- CVE-2025-13780 - Remote Code Execution vulnerability when restoring PLAIN-format SQL dumps in server mode (pgAdmin 4)
- CVE-2025-14046 - Insufficient HTML Sanitization Allows User-Controlled DOM Elements to Overwrite Server-Initialized Data Islands and Trigger Unintended Server-Side POST Requests
- CVE-2025-65473 - EasyImages Arbitrary File Rename Code Execution Vulnerability
- CVE-2025-14265 - Improper server-side validation in ScreenConnect extension framework
- CVE-2025-44016 - File Hash Validation Bypass in NomadBranch.exe
- CVE-2025-12029 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
- CVE-2025-64701 - QND Premium/Advance/Standard Windows Privilege Escalation Vulnerability
- CVE-2025-12716 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
- CVE-2025-8405 - Improper Encoding or Escaping of Output in GitLab
- CVE-2025-67719 - Ibexa User Bundle is missing password change validation
- CVE-2025-67718 - Formio improperly authorized permission elevation through specially crafted request path
- CVE-2025-67511 - Cybersecurity AI (CAI) vulnerable to Command Injection in run_ssh_command_with_credentials Agent tool
- CVE-2025-67509 - MySQLSelectTool Read-Only Bypass via SELECT INTO OUTFILE Allows Arbitrary File Write
- CVE-2025-67510 - MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)
- CVE-2025-67505 - Race condition in the Okta Java SDK
- CVE-2025-66474 - XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection
- CVE-2025-66473 - XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis
- CVE-2024-58282 - Serendipity 2.5.0 Remote Code Execution via Authenticated Media Upload
- CVE-2024-58283 - WBCE CMS 1.6.2 Remote Code Execution via Elfinder File Upload
- CVE-2024-58284 - PopojiCMS 2.0.1 Remote Command Execution via Authenticated Metadata Settings
- CVE-2024-58279 - appRain CMF 4.0.5 Authenticated Remote Code Execution via Filemanager Upload
- CVE-2024-58280 - CMSimple 5.15 Remote Command Execution via Extensions Configuration
- CVE-2024-58281 - Dotclear 2.29 Remote Code Execution via Authenticated File Upload
- CVE-2023-53776 - Screen SFT DAB 1.9.3 Authentication Bypass via Session Management Weakness
- CVE-2020-36902 - UBICOD Medivision Digital Signage 1.5.1 Authorization Bypass via User Privileges
- CVE-2023-53740 - Screen SFT DAB 1.9.3 Authentication Bypass via Admin Password Change
- CVE-2020-36898 - QiHang Media Web Digital Signage 3.0.9 Unauthenticated Arbitrary File Deletion
- CVE-2020-36899 - QiHang Media Web Digital Signage 3.0.9 Unauthenticated Arbitrary File Disclosure
- CVE-2020-36900 - All-Dynamics Digital Signage System 2.0.2 Cross-Site Request Forgery via User Management
- CVE-2020-36901 - UBICOD Medivision Digital Signage 1.5.1 Cross-Site Request Forgery via User Management
- CVE-2020-36897 - QiHang Media Web Digital Signage 3.0.9 Unauthenticated Remote Code Execution
- CVE-2025-64537 - Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
- CVE-2025-64539 - Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
- CVE-2025-64538 - Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
- CVE-2025-13607 - Cisco Camera Unauthenticated Configuration Information Disclosure
- CVE-2025-34423 - MailEnable < 10.54 DLL Hijacking via Unsafe Loading of MEAIAU.DLL
- CVE-2025-34424 - MailEnable < 10.54 DLL Hijacking via Unsafe Loading of MEAIDP.DLL
- CVE-2025-34417 - MailEnable < 10.54 DLL Hijacking via Unsafe Loading of MEAISO.DLL
- CVE-2025-34418 - MailEnable < 10.54 DLL Hijacking via Unsafe Loading of MEAIMF.DLL
- CVE-2025-34419 - MailEnable < 10.54 DLL Hijacking via Unsafe Loading of MEAISM.DLL
- CVE-2025-34420 - MailEnable < 10.54 DLL Hijacking via Unsafe Loading of MEAIAM.DLL
- CVE-2025-34421 - MailEnable < 10.54 DLL Hijacking via Unsafe Loading of MEAISP.DLL
Franck Ridel
