| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability was found in Roxy-WI up to 8.1.3. It has been declared as critical. Affected by this vulnerability is the function action_service of the file app/modules/roxywi/roxy.py. The manipulation of the argument action/service leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 8.1.4 is able to address this issue. The identifier of the patch is 32313928eb9ce906887b8a30bf7b9a3d5c0de1be. It is recommended to upgrade the affected component. |
| A vulnerability was found in Dahua IPC-HFW1200S, IPC-HFW2300R-Z, IPC-HFW5220E-Z and IPC-HDW1200S up to 20241222. It has been rated as problematic. Affected by this issue is some unknown functionality of the file ../mtd/Config/Sha1Account1 of the component Web Interface. The manipulation leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Parcel Panel ParcelPanel allows Reflected XSS.This issue affects ParcelPanel: from n/a through 4.3.2. |
| CWE - 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ESBI Information and Telecommunication Industry and Trade Limited Company Auto Service Software allows SQL Injection.This issue affects Auto Service Software: before v.2025.10.01. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BSS Software Mobuy Online Machinery Monitoring Panel allows SQL Injection.This issue affects Mobuy Online Machinery Monitoring Panel: before 2.0. |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Blockspare allows Stored XSS.This issue affects Blockspare: from n/a through 3.2.0. |
| The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Podcast RSS Feed in all versions up to, and including, 5.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Rashid87 WPSection allows PHP Local File Inclusion.This issue affects WPSection: from n/a through 1.3.8. |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in LA-Studio LA-Studio Element Kit for Elementor allows Stored XSS.This issue affects LA-Studio Element Kit for Elementor: from n/a through 1.3.9.2. |
| The health module has insufficient restrictions on loading URLs, which may lead to some information leakage. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PluginOps MailChimp Subscribe Forms allows Stored XSS.This issue affects MailChimp Subscribe Forms : from n/a through 4.0.9.9. |
| Netskope Client on Mac OS is impacted by a vulnerability in which the postinstall script does not properly validate the path of the file “nsinstallation”. A standard user could potentially create a symlink of the file “nsinstallation” to escalate the privileges of a different file on the system.
This issue affects Netskope Client: before 123.0, before 117.1.11.2310, before 120.1.10.2306. |
| The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage. |
| The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage. |
| The Elementor Addons AI Addons – 70 Widgets, Premium Templates, Ultimate Elements plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.1 via the render function due to insufficient restrictions on which templates can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft templates that they should not have access to. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mobilteg Mobile Informatics Mikro Hand Terminal - MikroDB allows SQL Injection.This issue affects Mikro Hand Terminal - MikroDB.
NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available. |
| Missing Authorization vulnerability in fifu.App Featured Image from URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image from URL: from n/a through 4.8.2. |
| Authentication Bypass by Capture-replay vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Session Hijacking.This issue affects ANKA JPD-00028: before V.01.01. |
| The SEO Keywords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘google_error’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |
| The Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the 'add_form_Emsfb' AJAX action in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping and missing authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
