The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2025-26582 | Cross-Site Request Forgery (CSRF) vulnerability in Blackbam TinyMCE Advanced qTranslate fix editor problems allows Stored XSS. This issue affects TinyMCE Advanced qTranslate fix editor problems: from n/a through 1.0.0. | -- | Feb 13, 2025 | n/a |
CVE-2025-26580 | Cross-Site Request Forgery (CSRF) vulnerability in CompleteWebResources Page/Post Specific Social Share Buttons allows Stored XSS. This issue affects Page/Post Specific Social Share Buttons: from n/a through 2.1. | -- | Feb 13, 2025 | n/a |
CVE-2025-26578 | Cross-Site Request Forgery (CSRF) vulnerability in mathieuhays Simple Documentation allows Stored XSS. This issue affects Simple Documentation: from n/a through 1.2.8. | -- | Feb 13, 2025 | n/a |
CVE-2025-26577 | Cross-Site Request Forgery (CSRF) vulnerability in daxiawp DX-auto-publish allows Stored XSS. This issue affects DX-auto-publish: from n/a through 1.2. | -- | Feb 13, 2025 | n/a |
CVE-2025-26574 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Moch Amir Google Drive WP Media allows Stored XSS. This issue affects Google Drive WP Media: from n/a through 2.4.4. | -- | Feb 13, 2025 | n/a |
CVE-2025-26572 | Cross-Site Request Forgery (CSRF) vulnerability in jesseheap WP PHPList allows Cross Site Request Forgery. This issue affects WP PHPList: from n/a through 1.7. | -- | Feb 13, 2025 | n/a |
CVE-2025-26571 | Cross-Site Request Forgery (CSRF) vulnerability in wibiya Wibiya Toolbar allows Cross Site Request Forgery. This issue affects Wibiya Toolbar: from n/a through 2.0. | -- | Feb 13, 2025 | n/a |
CVE-2025-26570 | Cross-Site Request Forgery (CSRF) vulnerability in uamv Glance That allows Cross Site Request Forgery. This issue affects Glance That: from n/a through 4.9. | -- | Feb 13, 2025 | n/a |
CVE-2025-26569 | Cross-Site Request Forgery (CSRF) vulnerability in callmeforsox Post Thumbs allows Stored XSS. This issue affects Post Thumbs: from n/a through 1.5. | -- | Feb 13, 2025 | n/a |
CVE-2025-26568 | Cross-Site Request Forgery (CSRF) vulnerability in jensmueller Easy Amazon Product Information allows Stored XSS. This issue affects Easy Amazon Product Information: from n/a through 4.0.1. | -- | Feb 13, 2025 | n/a |
CVE-2025-26567 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in farjana55 Font Awesome WP allows DOM-Based XSS. This issue affects Font Awesome WP: from n/a through 1.0. | -- | Feb 13, 2025 | n/a |
CVE-2025-26562 | Cross-Site Request Forgery (CSRF) vulnerability in Shambhu Patnaik RSS Filter allows Stored XSS. This issue affects RSS Filter: from n/a through 1.2. | -- | Feb 13, 2025 | n/a |
CVE-2025-26561 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in elfsight Elfsight Yottie Lite allows Stored XSS. This issue affects Elfsight Yottie Lite: from n/a through 1.3.3. | -- | Feb 13, 2025 | n/a |
CVE-2025-26558 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in mkkmail Aparat Responsive allows DOM-Based XSS. This issue affects Aparat Responsive: from n/a through 1.3. | -- | Feb 13, 2025 | n/a |
CVE-2025-26552 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in badrHan Naver Syndication V2 allows Stored XSS. This issue affects Naver Syndication V2: from n/a through 0.8.3. | -- | Feb 13, 2025 | n/a |
CVE-2025-26551 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in sureshdsk Bootstrap collapse allows Stored XSS. This issue affects Bootstrap collapse: from n/a through 1.0.4. | -- | Feb 13, 2025 | n/a |
CVE-2025-26550 | Cross-Site Request Forgery (CSRF) vulnerability in Kunal Shivale Global Meta Keyword & Description allows Stored XSS. This issue affects Global Meta Keyword & Description: from n/a through 2.3. | -- | Feb 13, 2025 | n/a |
CVE-2025-26549 | Cross-Site Request Forgery (CSRF) vulnerability in pa1 WP Html Page Sitemap allows Stored XSS. This issue affects WP Html Page Sitemap: from n/a through 2.2. | -- | Feb 13, 2025 | n/a |
CVE-2025-26547 | Cross-Site Request Forgery (CSRF) vulnerability in nagarjunsonti My Login Logout Plugin allows Stored XSS. This issue affects My Login Logout Plugin: from n/a through 2.4. | -- | Feb 13, 2025 | n/a |
CVE-2025-26545 | Cross-Site Request Forgery (CSRF) vulnerability in shisuh Related Posts Line-up-Exactly by Milliard allows Stored XSS. This issue affects Related Posts Line-up-Exactly by Milliard: from n/a through 0.0.22. | -- | Feb 13, 2025 | n/a |
CVE-2025-26543 | Cross-Site Request Forgery (CSRF) vulnerability in Pukhraj Suthar Simple Responsive Menu allows Stored XSS. This issue affects Simple Responsive Menu: from n/a through 2.1. | -- | Feb 13, 2025 | n/a |
CVE-2025-26539 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in petkivim Embed Google Map allows Stored XSS. This issue affects Embed Google Map: from n/a through 3.2. | -- | Feb 13, 2025 | n/a |
CVE-2025-26538 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Dan Rossiter Prezi Embedder allows Stored XSS. This issue affects Prezi Embedder: from n/a through 2.1. | -- | Feb 13, 2025 | n/a |
CVE-2025-26520 | Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter. NOTE: this issue exists because of an incomplete fix for CVE-2024-54146. | -- | Feb 12, 2025 | n/a |
CVE-2025-26511 | Systems running the Instaclustr fork of Stratio\'s Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC and escalate their privileges. | -- | Feb 14, 2025 | n/a |
CVE-2025-26495 | Cleartext Storage of Sensitive Information vulnerability in Salesforce Tableau Server can record the Personal Access Token (PAT) into logging repositories.This issue affects Tableau Server: before 2022.1.3, before 2021.4.8, before 2021.3.13, before 2021.2.14, before 2021.1.16, before 2020.4.19. | -- | Feb 11, 2025 | n/a |
CVE-2025-26494 | Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server allows Authentication Bypass.This issue affects Tableau Server: from 2023.3 through 2023.3.5. | -- | Feb 11, 2025 | n/a |
CVE-2025-26493 | In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab | -- | Feb 11, 2025 | n/a |
CVE-2025-26492 | In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources | -- | Feb 11, 2025 | n/a |
CVE-2025-26491 | A vulnerability has been identified in Opcenter Intelligence (All versions < V2501). Server-side request forgery (SSRF) vulnerability in Tableau Server. For details go to help.salesforce.com and search for knowledge article id 001534936. | -- | Feb 11, 2025 | n/a |
CVE-2025-26490 | A vulnerability has been identified in Opcenter Intelligence (All versions < V2501). Personal access token disclosure vulnerability in Tableau Server. For details go to help.salesforce.com and search for knowledge article id 000390611. | -- | Feb 11, 2025 | n/a |
CVE-2025-26473 | The Mojave Inverter uses the GET method for sensitive information. | -- | Feb 13, 2025 | n/a |
CVE-2025-26411 | An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. This enables an attacker to gain remote root access to the device. An attacker needs a valid user account on the Wattsense web interface to be able to conduct this attack. This issue is fixed in recent firmware versions BSP >= 6.1.0. | -- | Feb 11, 2025 | n/a |
CVE-2025-26410 | The firmware of all Wattsense Bridge devices contain the same hard-coded user and root credentials. The user password can be easily recovered via password cracking attempts. The recovered credentials can be used to log into the device via the login shell that is exposed by the serial interface. The backdoor user has been removed in firmware BSP >= 6.4.1. | -- | Feb 11, 2025 | n/a |
CVE-2025-26409 | A serial interface can be accessed with physical access to the PCB of Wattsense Bridge devices. After connecting to the interface, access to the bootloader is possible, as well as a Linux login prompt. The bootloader access can be used to gain a root shell on the device. This issue is fixed in recent firmware versions BSP >= 6.4.1. | -- | Feb 11, 2025 | n/a |
CVE-2025-26408 | The JTAG interface of Wattsense Bridge devices can be accessed with physical access to the PCB. After connecting to the interface, full access to the device is possible. This enables an attacker to extract information, modify and debug the device\'s firmware. All known versions are affected. | -- | Feb 11, 2025 | n/a |
CVE-2025-26378 | A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |
CVE-2025-26377 | A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |
CVE-2025-26376 | A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to modify user data via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |
CVE-2025-26375 | A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |
CVE-2025-26374 | A CWE-862 Missing Authorization in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |
CVE-2025-26373 | A CWE-862 Missing Authorization in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |
CVE-2025-26372 | A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |
CVE-2025-26371 | A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |
CVE-2025-26370 | A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |
CVE-2025-26369 | A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |
CVE-2025-26368 | A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |
CVE-2025-26367 | A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |
CVE-2025-26366 | A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |
CVE-2025-26365 | A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests. | -- | Feb 12, 2025 | n/a |