Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 254565 entries
IDDescriptionPriorityModified date
CVE-2025-26582 Cross-Site Request Forgery (CSRF) vulnerability in Blackbam TinyMCE Advanced qTranslate fix editor problems allows Stored XSS. This issue affects TinyMCE Advanced qTranslate fix editor problems: from n/a through 1.0.0. -- Feb 13, 2025
CVE-2025-26580 Cross-Site Request Forgery (CSRF) vulnerability in CompleteWebResources Page/Post Specific Social Share Buttons allows Stored XSS. This issue affects Page/Post Specific Social Share Buttons: from n/a through 2.1. -- Feb 13, 2025
CVE-2025-26578 Cross-Site Request Forgery (CSRF) vulnerability in mathieuhays Simple Documentation allows Stored XSS. This issue affects Simple Documentation: from n/a through 1.2.8. -- Feb 13, 2025
CVE-2025-26577 Cross-Site Request Forgery (CSRF) vulnerability in daxiawp DX-auto-publish allows Stored XSS. This issue affects DX-auto-publish: from n/a through 1.2. -- Feb 13, 2025
CVE-2025-26574 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Moch Amir Google Drive WP Media allows Stored XSS. This issue affects Google Drive WP Media: from n/a through 2.4.4. -- Feb 13, 2025
CVE-2025-26572 Cross-Site Request Forgery (CSRF) vulnerability in jesseheap WP PHPList allows Cross Site Request Forgery. This issue affects WP PHPList: from n/a through 1.7. -- Feb 13, 2025
CVE-2025-26571 Cross-Site Request Forgery (CSRF) vulnerability in wibiya Wibiya Toolbar allows Cross Site Request Forgery. This issue affects Wibiya Toolbar: from n/a through 2.0. -- Feb 13, 2025
CVE-2025-26570 Cross-Site Request Forgery (CSRF) vulnerability in uamv Glance That allows Cross Site Request Forgery. This issue affects Glance That: from n/a through 4.9. -- Feb 13, 2025
CVE-2025-26569 Cross-Site Request Forgery (CSRF) vulnerability in callmeforsox Post Thumbs allows Stored XSS. This issue affects Post Thumbs: from n/a through 1.5. -- Feb 13, 2025
CVE-2025-26568 Cross-Site Request Forgery (CSRF) vulnerability in jensmueller Easy Amazon Product Information allows Stored XSS. This issue affects Easy Amazon Product Information: from n/a through 4.0.1. -- Feb 13, 2025
CVE-2025-26567 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in farjana55 Font Awesome WP allows DOM-Based XSS. This issue affects Font Awesome WP: from n/a through 1.0. -- Feb 13, 2025
CVE-2025-26562 Cross-Site Request Forgery (CSRF) vulnerability in Shambhu Patnaik RSS Filter allows Stored XSS. This issue affects RSS Filter: from n/a through 1.2. -- Feb 13, 2025
CVE-2025-26561 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in elfsight Elfsight Yottie Lite allows Stored XSS. This issue affects Elfsight Yottie Lite: from n/a through 1.3.3. -- Feb 13, 2025
CVE-2025-26558 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in mkkmail Aparat Responsive allows DOM-Based XSS. This issue affects Aparat Responsive: from n/a through 1.3. -- Feb 13, 2025
CVE-2025-26552 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in badrHan Naver Syndication V2 allows Stored XSS. This issue affects Naver Syndication V2: from n/a through 0.8.3. -- Feb 13, 2025
CVE-2025-26551 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in sureshdsk Bootstrap collapse allows Stored XSS. This issue affects Bootstrap collapse: from n/a through 1.0.4. -- Feb 13, 2025
CVE-2025-26550 Cross-Site Request Forgery (CSRF) vulnerability in Kunal Shivale Global Meta Keyword & Description allows Stored XSS. This issue affects Global Meta Keyword & Description: from n/a through 2.3. -- Feb 13, 2025
CVE-2025-26549 Cross-Site Request Forgery (CSRF) vulnerability in pa1 WP Html Page Sitemap allows Stored XSS. This issue affects WP Html Page Sitemap: from n/a through 2.2. -- Feb 13, 2025
CVE-2025-26547 Cross-Site Request Forgery (CSRF) vulnerability in nagarjunsonti My Login Logout Plugin allows Stored XSS. This issue affects My Login Logout Plugin: from n/a through 2.4. -- Feb 13, 2025
CVE-2025-26545 Cross-Site Request Forgery (CSRF) vulnerability in shisuh Related Posts Line-up-Exactly by Milliard allows Stored XSS. This issue affects Related Posts Line-up-Exactly by Milliard: from n/a through 0.0.22. -- Feb 13, 2025
CVE-2025-26543 Cross-Site Request Forgery (CSRF) vulnerability in Pukhraj Suthar Simple Responsive Menu allows Stored XSS. This issue affects Simple Responsive Menu: from n/a through 2.1. -- Feb 13, 2025
CVE-2025-26539 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in petkivim Embed Google Map allows Stored XSS. This issue affects Embed Google Map: from n/a through 3.2. -- Feb 13, 2025
CVE-2025-26538 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Dan Rossiter Prezi Embedder allows Stored XSS. This issue affects Prezi Embedder: from n/a through 2.1. -- Feb 13, 2025
CVE-2025-26520 Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter. NOTE: this issue exists because of an incomplete fix for CVE-2024-54146. -- Feb 12, 2025
CVE-2025-26511 Systems running the Instaclustr fork of Stratio\'s Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC and escalate their privileges. -- Feb 14, 2025
CVE-2025-26473 The Mojave Inverter uses the GET method for sensitive information. -- Feb 13, 2025
CVE-2025-26378 A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26377 A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26376 A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to modify user data via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26375 A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26374 A CWE-862 Missing Authorization in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26373 A CWE-862 Missing Authorization in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26372 A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26371 A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26370 A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26369 A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26368 A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26367 A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26366 A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26365 A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26364 A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an authentication profile server via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26363 A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26362 A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26361 A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26360 A CWE-306 Missing Authentication for Critical Function in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26359 A CWE-306 Missing Authentication for Critical Function in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26358 A CWE-20 Improper Input Validation in ldbMT.so in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to modify system configuration via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26357 A CWE-35 Path Traversal in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26356 A CWE-35 Path Traversal in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests. -- Feb 12, 2025
CVE-2025-26355 A CWE-35 Path Traversal in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests. -- Feb 12, 2025
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online