| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing. |
| Contributor PHP Object Injection in Avada <= 3.15.3 versions. |
| Unauthenticated PHP Object Injection in Alloggio - Hotel Booking <= 2.1.2 versions. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection.
This issue affects Directorist Booking: from n/a through 3.0.3. |
| Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server.
This issue affects Academy LMS Pro: from n/a before 3.5.2. |
| The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL. |
| Unauthenticated Arbitrary File Download in WP Media folder Addon <= 4.0.1 versions. |
| Contributor Local File Inclusion in Element Pack Pro <= 9.0.6 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions. |
| Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions. |
| Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions. |
| Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions. |
| Unauthenticated Cross Site Scripting (XSS) in SweetDate Core < 1.1.5 versions. |
| Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.3.1 versions. |
| Subscriber SQL Injection in SALESmanago & Leadoo <= 3.11.2 versions. |
| Unauthenticated Broken Access Control in Motors <= 1.4.109 versions. |
| Subscriber PHP Object Injection in EventPrime <= 4.3.4.1 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Forminator <= 1.53.1 versions. |
| A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.
Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability. |
| Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal services, exfiltrate responses, and replay credentials against backend systems. |