The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2025-26511 | Systems running the Instaclustr fork of Stratio\'s Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC and escalate their privileges. | -- | Feb 14, 2025 |
CVE-2025-0998 | chromium-x11: Out of bounds memory access in V8 | -- | Feb 14, 2025 |
CVE-2025-0997 | chromium-x11: Use after free in Navigation | -- | Feb 14, 2025 |
CVE-2025-0996 | chromium-x11: Inappropriate implementation in Browser UI | -- | Feb 14, 2025 |
CVE-2025-0995 | chromium-x11: Use after free in V8 | -- | Feb 14, 2025 |
CVE-2025-26582 | Cross-Site Request Forgery (CSRF) vulnerability in Blackbam TinyMCE Advanced qTranslate fix editor problems allows Stored XSS. This issue affects TinyMCE Advanced qTranslate fix editor problems: from n/a through 1.0.0. | -- | Feb 13, 2025 |
CVE-2025-26580 | Cross-Site Request Forgery (CSRF) vulnerability in CompleteWebResources Page/Post Specific Social Share Buttons allows Stored XSS. This issue affects Page/Post Specific Social Share Buttons: from n/a through 2.1. | -- | Feb 13, 2025 |
CVE-2025-26578 | Cross-Site Request Forgery (CSRF) vulnerability in mathieuhays Simple Documentation allows Stored XSS. This issue affects Simple Documentation: from n/a through 1.2.8. | -- | Feb 13, 2025 |
CVE-2025-26577 | Cross-Site Request Forgery (CSRF) vulnerability in daxiawp DX-auto-publish allows Stored XSS. This issue affects DX-auto-publish: from n/a through 1.2. | -- | Feb 13, 2025 |
CVE-2025-26574 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Moch Amir Google Drive WP Media allows Stored XSS. This issue affects Google Drive WP Media: from n/a through 2.4.4. | -- | Feb 13, 2025 |
CVE-2025-26572 | Cross-Site Request Forgery (CSRF) vulnerability in jesseheap WP PHPList allows Cross Site Request Forgery. This issue affects WP PHPList: from n/a through 1.7. | -- | Feb 13, 2025 |
CVE-2025-26571 | Cross-Site Request Forgery (CSRF) vulnerability in wibiya Wibiya Toolbar allows Cross Site Request Forgery. This issue affects Wibiya Toolbar: from n/a through 2.0. | -- | Feb 13, 2025 |
CVE-2025-26570 | Cross-Site Request Forgery (CSRF) vulnerability in uamv Glance That allows Cross Site Request Forgery. This issue affects Glance That: from n/a through 4.9. | -- | Feb 13, 2025 |
CVE-2025-26569 | Cross-Site Request Forgery (CSRF) vulnerability in callmeforsox Post Thumbs allows Stored XSS. This issue affects Post Thumbs: from n/a through 1.5. | -- | Feb 13, 2025 |
CVE-2025-26568 | Cross-Site Request Forgery (CSRF) vulnerability in jensmueller Easy Amazon Product Information allows Stored XSS. This issue affects Easy Amazon Product Information: from n/a through 4.0.1. | -- | Feb 13, 2025 |
CVE-2025-26567 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in farjana55 Font Awesome WP allows DOM-Based XSS. This issue affects Font Awesome WP: from n/a through 1.0. | -- | Feb 13, 2025 |
CVE-2025-26562 | Cross-Site Request Forgery (CSRF) vulnerability in Shambhu Patnaik RSS Filter allows Stored XSS. This issue affects RSS Filter: from n/a through 1.2. | -- | Feb 13, 2025 |
CVE-2025-26561 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in elfsight Elfsight Yottie Lite allows Stored XSS. This issue affects Elfsight Yottie Lite: from n/a through 1.3.3. | -- | Feb 13, 2025 |
CVE-2025-26558 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in mkkmail Aparat Responsive allows DOM-Based XSS. This issue affects Aparat Responsive: from n/a through 1.3. | -- | Feb 13, 2025 |
CVE-2025-26552 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in badrHan Naver Syndication V2 allows Stored XSS. This issue affects Naver Syndication V2: from n/a through 0.8.3. | -- | Feb 13, 2025 |
CVE-2025-26551 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in sureshdsk Bootstrap collapse allows Stored XSS. This issue affects Bootstrap collapse: from n/a through 1.0.4. | -- | Feb 13, 2025 |
CVE-2025-26550 | Cross-Site Request Forgery (CSRF) vulnerability in Kunal Shivale Global Meta Keyword & Description allows Stored XSS. This issue affects Global Meta Keyword & Description: from n/a through 2.3. | -- | Feb 13, 2025 |
CVE-2025-26549 | Cross-Site Request Forgery (CSRF) vulnerability in pa1 WP Html Page Sitemap allows Stored XSS. This issue affects WP Html Page Sitemap: from n/a through 2.2. | -- | Feb 13, 2025 |
CVE-2025-26547 | Cross-Site Request Forgery (CSRF) vulnerability in nagarjunsonti My Login Logout Plugin allows Stored XSS. This issue affects My Login Logout Plugin: from n/a through 2.4. | -- | Feb 13, 2025 |
CVE-2025-26545 | Cross-Site Request Forgery (CSRF) vulnerability in shisuh Related Posts Line-up-Exactly by Milliard allows Stored XSS. This issue affects Related Posts Line-up-Exactly by Milliard: from n/a through 0.0.22. | -- | Feb 13, 2025 |
CVE-2025-26543 | Cross-Site Request Forgery (CSRF) vulnerability in Pukhraj Suthar Simple Responsive Menu allows Stored XSS. This issue affects Simple Responsive Menu: from n/a through 2.1. | -- | Feb 13, 2025 |
CVE-2025-26539 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in petkivim Embed Google Map allows Stored XSS. This issue affects Embed Google Map: from n/a through 3.2. | -- | Feb 13, 2025 |
CVE-2025-26538 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Dan Rossiter Prezi Embedder allows Stored XSS. This issue affects Prezi Embedder: from n/a through 2.1. | -- | Feb 13, 2025 |
CVE-2025-26473 | The Mojave Inverter uses the GET method for sensitive information. | -- | Feb 13, 2025 |
CVE-2025-25901 | A buffer overflow vulnerability was discovered in TP-Link TL-WR841ND V11, triggered by the dnsserver1 and dnsserver2 parameters at /userRpm/WanSlaacCfgRpm.htm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet. | -- | Feb 13, 2025 |
CVE-2025-25900 | A buffer overflow vulnerability was discovered in TP-Link TL-WR841ND V11 via the username and password parameters at /userRpm/PPPoEv6CfgRpm.htm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet. | -- | Feb 13, 2025 |
CVE-2025-25899 | A buffer overflow vulnerability was discovered in TP-Link TL-WR841ND V11 via the \'gw\' parameter at /userRpm/WanDynamicIpV6CfgRpm.htm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet. | -- | Feb 13, 2025 |
CVE-2025-25898 | A buffer overflow vulnerability was discovered in TP-Link TL-WR841ND V11 via the pskSecret parameter at /userRpm/WlanSecurityRpm.htm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet. | -- | Feb 13, 2025 |
CVE-2025-25897 | A buffer overflow vulnerability was discovered in TP-Link TL-WR841ND V11 via the \'ip\' parameter at /userRpm/WanStaticIpV6CfgRpm.htm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet. | -- | Feb 13, 2025 |
CVE-2025-25389 | A SQL Injection vulnerability was found in /admin/forgot-password.php in Phpgurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the contactno POST request parameter. | -- | Feb 13, 2025 |
CVE-2025-25388 | A SQL Injection vulnerability was found in /admin/edit-propertytype.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the editid GET request parameter. | -- | Feb 13, 2025 |
CVE-2025-25387 | A SQL Injection vulnerability was found in /admin/manage-propertytype.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the propertytype POST request parameter. | -- | Feb 13, 2025 |
CVE-2025-25357 | A SQL Injection vulnerability was found in /admin/contactus.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the email POST request parameter. | -- | Feb 13, 2025 |
CVE-2025-25356 | A SQL Injection vulnerability was found in /admin/bwdates-reports-details.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the todate POST request parameter. | -- | Feb 13, 2025 |
CVE-2025-25355 | A SQL Injection vulnerability was found in /admin/bwdates-reports-details.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the fromdate POST request parameter. | -- | Feb 13, 2025 |
CVE-2025-25354 | A SQL Injection was found in /admin/admin-profile.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the contactnumber POST request parameter. | -- | Feb 13, 2025 |
CVE-2025-25352 | A SQL Injection vulnerability was found in /admin/aboutus.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the pagetitle POST request parameter. | -- | Feb 13, 2025 |
CVE-2025-25287 | Lakeus is a simple skin made for MediaWiki. Starting in version 1.8.0 and prior to versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0, Lakeus is vulnerable to store cross-site scripting via malicious system messages, though editing the messages requires high privileges. Those with `(editinterface)` rights can edit system messages that are improperly handled in order to send raw HTML. In the case of `lakeus-footermessage`, this will affect all users if the server is configured to link back to this repository. Otherwise, the system messages in themeDesigner.js are only used when the user enables it in their preferences. Versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0 contain a patch. | -- | Feb 13, 2025 |
CVE-2025-25286 | Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been patched in `islandora/crayfish:4.1.0`. Some workarounds are available. The exploit requires making a request against the Homarus\'s `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus. Alternatively or additionally, configure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs. | -- | Feb 13, 2025 |
CVE-2025-25281 | An attacker may modify the URL to discover sensitive information about the target network. | -- | Feb 13, 2025 |
CVE-2025-25195 | Zulip is an open source team chat application. A weekly cron job (added in 50256f48314250978f521ef439cafa704e056539) demotes channels to being inactive after they have not received traffic for 180 days. However, upon doing so, an event was sent to all users in the organization, not just users in the channel. This event contained the name of the private channel. Similarly, the same commit (50256f48314250978f521ef439cafa704e056539) added functionality to notify clients when channels stopped being inactive. The first message sent to a private channel which had not previously had any messages for over 180 days (and were thus already marked inactive) would leak an event to all users in the organization; this event also contained the name of the private channel. Commits 75be449d456d29fef27e9d1828bafa30174284b4 and a2a1a7f8d152296c8966f1380872c0ac69e5c87e fixed the issue. This vulnerability only existed in `main`, and was not part of any published versions. | -- | Feb 13, 2025 |
CVE-2025-25067 | mySCADA myPRO Manager is vulnerable to an OS command injection which could allow a remote attacker to execute arbitrary OS commands. | -- | Feb 13, 2025 |
CVE-2025-24904 | libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, plaintext content envelopes could be injected by a server or a malicious client, and may have been able to bypass the end-to-end encryption and authentication. The vulnerability is fixed per 82d70f6720e762898f34ae76b0894b0297d9b2f8. The `Metadata` struct contains an additional `was_encrypted` field, which breaks the API, but should be easily resolvable. No known workarounds are available. | -- | Feb 13, 2025 |
CVE-2025-24903 | libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, any contact may forge a sync message, impersonating another device of the local user. The origin of sync messages is not checked. Patched libsignal-service can be found after commit 82d70f6720e762898f34ae76b0894b0297d9b2f8. The `Metadata` struct contains an additional `was_encrypted` field, which breaks the API, but should be easily resolvable. No known workarounds are available. | -- | Feb 13, 2025 |
CVE-2025-24889 | The SecureDrop Client is a desktop application for journalists to communicate with sources and work with submissions on the SecureDrop Workstation. Prior to versions 0.14.1 and 1.0.1, an attacker who has already gained code execution in a virtual machine on the SecureDrop Workstation could gain code execution in the `sd-log` virtual machine by sending a specially crafted log entry. The vulnerability is not exploitable remotely and requires an attacker to already have code execution on one of the other virtual machines (VMs) of the system. Due to the Workstation\'s underlying usage of Qubes for strong isolation, the vulnerability would have allowed lateral movement between any log-enabled VM and the `sd-log` VM, but no further. The SecureDrop workstation collects logs centrally in an isolated virtual machine named `sd-log` for easy export for support and debugging purposes. The `sd-log` VM is completely isolated from the internet and ingests logs via a narrow Qubes RPC policy that allows for specific inter-VM communication via the Xen vchan protocol used by Qubes\'s qrexec mechanism. A path traversal bug was found in the logic used to choose where to write the log file for a specific VM: the VM name, used unsanitized in the destination path in `sd-log`, is supplied by the logging VM itself instead of being read from a trusted source, such as the Qubes environment variable `QREXEC_REMOTE_DOMAIN` that is used in the fixed implementation. An attacker could provide an arbitrary source VM name, possibly overwriting logs of other VMs, or writing a file named `syslog.log`, with attacker-controlled content, in arbitrary directories as a low-privileged user. A successful attack could potentially overwrite or add configuration to software that loads configuration files from a directory. This is exploitable to achieve code execution by setting the target directory to `/home/user/.config/autostart/` and letting it write `syslog.log`, because XFCE treats any file in that directory as a `.desktop` file regardless of its extension. Versions 0.14.1 and 1.0.1 contain a patch for this issue. | -- | Feb 13, 2025 |