The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2025-26582 | Cross-Site Request Forgery (CSRF) vulnerability in Blackbam TinyMCE Advanced qTranslate fix editor problems allows Stored XSS. This issue affects TinyMCE Advanced qTranslate fix editor problems: from n/a through 1.0.0. | -- | Feb 13, 2025 |
CVE-2025-26580 | Cross-Site Request Forgery (CSRF) vulnerability in CompleteWebResources Page/Post Specific Social Share Buttons allows Stored XSS. This issue affects Page/Post Specific Social Share Buttons: from n/a through 2.1. | -- | Feb 13, 2025 |
CVE-2025-26578 | Cross-Site Request Forgery (CSRF) vulnerability in mathieuhays Simple Documentation allows Stored XSS. This issue affects Simple Documentation: from n/a through 1.2.8. | -- | Feb 13, 2025 |
CVE-2025-26577 | Cross-Site Request Forgery (CSRF) vulnerability in daxiawp DX-auto-publish allows Stored XSS. This issue affects DX-auto-publish: from n/a through 1.2. | -- | Feb 13, 2025 |
CVE-2025-26574 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Moch Amir Google Drive WP Media allows Stored XSS. This issue affects Google Drive WP Media: from n/a through 2.4.4. | -- | Feb 13, 2025 |
CVE-2025-26572 | Cross-Site Request Forgery (CSRF) vulnerability in jesseheap WP PHPList allows Cross Site Request Forgery. This issue affects WP PHPList: from n/a through 1.7. | -- | Feb 13, 2025 |
CVE-2025-26571 | Cross-Site Request Forgery (CSRF) vulnerability in wibiya Wibiya Toolbar allows Cross Site Request Forgery. This issue affects Wibiya Toolbar: from n/a through 2.0. | -- | Feb 13, 2025 |
CVE-2025-26570 | Cross-Site Request Forgery (CSRF) vulnerability in uamv Glance That allows Cross Site Request Forgery. This issue affects Glance That: from n/a through 4.9. | -- | Feb 13, 2025 |
CVE-2025-26569 | Cross-Site Request Forgery (CSRF) vulnerability in callmeforsox Post Thumbs allows Stored XSS. This issue affects Post Thumbs: from n/a through 1.5. | -- | Feb 13, 2025 |
CVE-2025-26568 | Cross-Site Request Forgery (CSRF) vulnerability in jensmueller Easy Amazon Product Information allows Stored XSS. This issue affects Easy Amazon Product Information: from n/a through 4.0.1. | -- | Feb 13, 2025 |
CVE-2025-26567 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in farjana55 Font Awesome WP allows DOM-Based XSS. This issue affects Font Awesome WP: from n/a through 1.0. | -- | Feb 13, 2025 |
CVE-2025-26562 | Cross-Site Request Forgery (CSRF) vulnerability in Shambhu Patnaik RSS Filter allows Stored XSS. This issue affects RSS Filter: from n/a through 1.2. | -- | Feb 13, 2025 |
CVE-2025-26561 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in elfsight Elfsight Yottie Lite allows Stored XSS. This issue affects Elfsight Yottie Lite: from n/a through 1.3.3. | -- | Feb 13, 2025 |
CVE-2025-26558 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in mkkmail Aparat Responsive allows DOM-Based XSS. This issue affects Aparat Responsive: from n/a through 1.3. | -- | Feb 13, 2025 |
CVE-2025-26552 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in badrHan Naver Syndication V2 allows Stored XSS. This issue affects Naver Syndication V2: from n/a through 0.8.3. | -- | Feb 13, 2025 |
CVE-2025-26551 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in sureshdsk Bootstrap collapse allows Stored XSS. This issue affects Bootstrap collapse: from n/a through 1.0.4. | -- | Feb 13, 2025 |
CVE-2025-26550 | Cross-Site Request Forgery (CSRF) vulnerability in Kunal Shivale Global Meta Keyword & Description allows Stored XSS. This issue affects Global Meta Keyword & Description: from n/a through 2.3. | -- | Feb 13, 2025 |
CVE-2025-26549 | Cross-Site Request Forgery (CSRF) vulnerability in pa1 WP Html Page Sitemap allows Stored XSS. This issue affects WP Html Page Sitemap: from n/a through 2.2. | -- | Feb 13, 2025 |
CVE-2025-26547 | Cross-Site Request Forgery (CSRF) vulnerability in nagarjunsonti My Login Logout Plugin allows Stored XSS. This issue affects My Login Logout Plugin: from n/a through 2.4. | -- | Feb 13, 2025 |
CVE-2025-26545 | Cross-Site Request Forgery (CSRF) vulnerability in shisuh Related Posts Line-up-Exactly by Milliard allows Stored XSS. This issue affects Related Posts Line-up-Exactly by Milliard: from n/a through 0.0.22. | -- | Feb 13, 2025 |
CVE-2025-26543 | Cross-Site Request Forgery (CSRF) vulnerability in Pukhraj Suthar Simple Responsive Menu allows Stored XSS. This issue affects Simple Responsive Menu: from n/a through 2.1. | -- | Feb 13, 2025 |
CVE-2025-26539 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in petkivim Embed Google Map allows Stored XSS. This issue affects Embed Google Map: from n/a through 3.2. | -- | Feb 13, 2025 |
CVE-2025-26538 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Dan Rossiter Prezi Embedder allows Stored XSS. This issue affects Prezi Embedder: from n/a through 2.1. | -- | Feb 13, 2025 |
CVE-2025-26520 | Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter. NOTE: this issue exists because of an incomplete fix for CVE-2024-54146. | -- | Feb 12, 2025 |
CVE-2025-26511 | Systems running the Instaclustr fork of Stratio\'s Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC and escalate their privileges. | -- | Feb 14, 2025 |
CVE-2025-26473 | The Mojave Inverter uses the GET method for sensitive information. | -- | Feb 13, 2025 |
CVE-2025-26378 | A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26377 | A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26376 | A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to modify user data via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26375 | A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26374 | A CWE-862 Missing Authorization in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26373 | A CWE-862 Missing Authorization in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26372 | A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26371 | A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26370 | A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26369 | A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26368 | A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26367 | A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26366 | A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26365 | A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26364 | A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an authentication profile server via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26363 | A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26362 | A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26361 | A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26360 | A CWE-306 Missing Authentication for Critical Function in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26359 | A CWE-306 Missing Authentication for Critical Function in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26358 | A CWE-20 Improper Input Validation in ldbMT.so in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to modify system configuration via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26357 | A CWE-35 Path Traversal in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26356 | A CWE-35 Path Traversal in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests. | -- | Feb 12, 2025 |
CVE-2025-26355 | A CWE-35 Path Traversal in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests. | -- | Feb 12, 2025 |