Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 254565 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2025-26582 Cross-Site Request Forgery (CSRF) vulnerability in Blackbam TinyMCE Advanced qTranslate fix editor problems allows Stored XSS. This issue affects TinyMCE Advanced qTranslate fix editor problems: from n/a through 1.0.0. -- Feb 13, 2025 n/a
CVE-2025-26580 Cross-Site Request Forgery (CSRF) vulnerability in CompleteWebResources Page/Post Specific Social Share Buttons allows Stored XSS. This issue affects Page/Post Specific Social Share Buttons: from n/a through 2.1. -- Feb 13, 2025 n/a
CVE-2025-26578 Cross-Site Request Forgery (CSRF) vulnerability in mathieuhays Simple Documentation allows Stored XSS. This issue affects Simple Documentation: from n/a through 1.2.8. -- Feb 13, 2025 n/a
CVE-2025-26577 Cross-Site Request Forgery (CSRF) vulnerability in daxiawp DX-auto-publish allows Stored XSS. This issue affects DX-auto-publish: from n/a through 1.2. -- Feb 13, 2025 n/a
CVE-2025-26574 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Moch Amir Google Drive WP Media allows Stored XSS. This issue affects Google Drive WP Media: from n/a through 2.4.4. -- Feb 13, 2025 n/a
CVE-2025-26572 Cross-Site Request Forgery (CSRF) vulnerability in jesseheap WP PHPList allows Cross Site Request Forgery. This issue affects WP PHPList: from n/a through 1.7. -- Feb 13, 2025 n/a
CVE-2025-26571 Cross-Site Request Forgery (CSRF) vulnerability in wibiya Wibiya Toolbar allows Cross Site Request Forgery. This issue affects Wibiya Toolbar: from n/a through 2.0. -- Feb 13, 2025 n/a
CVE-2025-26570 Cross-Site Request Forgery (CSRF) vulnerability in uamv Glance That allows Cross Site Request Forgery. This issue affects Glance That: from n/a through 4.9. -- Feb 13, 2025 n/a
CVE-2025-26569 Cross-Site Request Forgery (CSRF) vulnerability in callmeforsox Post Thumbs allows Stored XSS. This issue affects Post Thumbs: from n/a through 1.5. -- Feb 13, 2025 n/a
CVE-2025-26568 Cross-Site Request Forgery (CSRF) vulnerability in jensmueller Easy Amazon Product Information allows Stored XSS. This issue affects Easy Amazon Product Information: from n/a through 4.0.1. -- Feb 13, 2025 n/a
CVE-2025-26567 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in farjana55 Font Awesome WP allows DOM-Based XSS. This issue affects Font Awesome WP: from n/a through 1.0. -- Feb 13, 2025 n/a
CVE-2025-26562 Cross-Site Request Forgery (CSRF) vulnerability in Shambhu Patnaik RSS Filter allows Stored XSS. This issue affects RSS Filter: from n/a through 1.2. -- Feb 13, 2025 n/a
CVE-2025-26561 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in elfsight Elfsight Yottie Lite allows Stored XSS. This issue affects Elfsight Yottie Lite: from n/a through 1.3.3. -- Feb 13, 2025 n/a
CVE-2025-26558 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in mkkmail Aparat Responsive allows DOM-Based XSS. This issue affects Aparat Responsive: from n/a through 1.3. -- Feb 13, 2025 n/a
CVE-2025-26552 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in badrHan Naver Syndication V2 allows Stored XSS. This issue affects Naver Syndication V2: from n/a through 0.8.3. -- Feb 13, 2025 n/a
CVE-2025-26551 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in sureshdsk Bootstrap collapse allows Stored XSS. This issue affects Bootstrap collapse: from n/a through 1.0.4. -- Feb 13, 2025 n/a
CVE-2025-26550 Cross-Site Request Forgery (CSRF) vulnerability in Kunal Shivale Global Meta Keyword & Description allows Stored XSS. This issue affects Global Meta Keyword & Description: from n/a through 2.3. -- Feb 13, 2025 n/a
CVE-2025-26549 Cross-Site Request Forgery (CSRF) vulnerability in pa1 WP Html Page Sitemap allows Stored XSS. This issue affects WP Html Page Sitemap: from n/a through 2.2. -- Feb 13, 2025 n/a
CVE-2025-26547 Cross-Site Request Forgery (CSRF) vulnerability in nagarjunsonti My Login Logout Plugin allows Stored XSS. This issue affects My Login Logout Plugin: from n/a through 2.4. -- Feb 13, 2025 n/a
CVE-2025-26545 Cross-Site Request Forgery (CSRF) vulnerability in shisuh Related Posts Line-up-Exactly by Milliard allows Stored XSS. This issue affects Related Posts Line-up-Exactly by Milliard: from n/a through 0.0.22. -- Feb 13, 2025 n/a
CVE-2025-26543 Cross-Site Request Forgery (CSRF) vulnerability in Pukhraj Suthar Simple Responsive Menu allows Stored XSS. This issue affects Simple Responsive Menu: from n/a through 2.1. -- Feb 13, 2025 n/a
CVE-2025-26539 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in petkivim Embed Google Map allows Stored XSS. This issue affects Embed Google Map: from n/a through 3.2. -- Feb 13, 2025 n/a
CVE-2025-26538 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Dan Rossiter Prezi Embedder allows Stored XSS. This issue affects Prezi Embedder: from n/a through 2.1. -- Feb 13, 2025 n/a
CVE-2025-26520 Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter. NOTE: this issue exists because of an incomplete fix for CVE-2024-54146. -- Feb 12, 2025 n/a
CVE-2025-26511 Systems running the Instaclustr fork of Stratio\'s Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC and escalate their privileges. -- Feb 14, 2025 n/a
CVE-2025-26495 Cleartext Storage of Sensitive Information vulnerability in Salesforce Tableau Server can record the Personal Access Token (PAT) into logging repositories.This issue affects Tableau Server: before 2022.1.3, before 2021.4.8, before 2021.3.13, before 2021.2.14, before 2021.1.16, before 2020.4.19. -- Feb 11, 2025 n/a
CVE-2025-26494 Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server allows Authentication Bypass.This issue affects Tableau Server: from 2023.3 through 2023.3.5. -- Feb 11, 2025 n/a
CVE-2025-26493 In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab -- Feb 11, 2025 n/a
CVE-2025-26492 In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources -- Feb 11, 2025 n/a
CVE-2025-26491 A vulnerability has been identified in Opcenter Intelligence (All versions < V2501). Server-side request forgery (SSRF) vulnerability in Tableau Server. For details go to help.salesforce.com and search for knowledge article id 001534936. -- Feb 11, 2025 n/a
CVE-2025-26490 A vulnerability has been identified in Opcenter Intelligence (All versions < V2501). Personal access token disclosure vulnerability in Tableau Server. For details go to help.salesforce.com and search for knowledge article id 000390611. -- Feb 11, 2025 n/a
CVE-2025-26473 The Mojave Inverter uses the GET method for sensitive information. -- Feb 13, 2025 n/a
CVE-2025-26411 An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. This enables an attacker to gain remote root access to the device. An attacker needs a valid user account on the Wattsense web interface to be able to conduct this attack. This issue is fixed in recent firmware versions BSP >= 6.1.0. -- Feb 11, 2025 n/a
CVE-2025-26410 The firmware of all Wattsense Bridge devices contain the same hard-coded user and root credentials. The user password can be easily recovered via password cracking attempts. The recovered credentials can be used to log into the device via the login shell that is exposed by the serial interface. The backdoor user has been removed in firmware BSP >= 6.4.1. -- Feb 11, 2025 n/a
CVE-2025-26409 A serial interface can be accessed with physical access to the PCB of Wattsense Bridge devices. After connecting to the interface, access to the bootloader is possible, as well as a Linux login prompt. The bootloader access can be used to gain a root shell on the device. This issue is fixed in recent firmware versions BSP >= 6.4.1. -- Feb 11, 2025 n/a
CVE-2025-26408 The JTAG interface of Wattsense Bridge devices can be accessed with physical access to the PCB. After connecting to the interface, full access to the device is possible. This enables an attacker to extract information, modify and debug the device\'s firmware. All known versions are affected. -- Feb 11, 2025 n/a
CVE-2025-26378 A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests. -- Feb 12, 2025 n/a
CVE-2025-26377 A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests. -- Feb 12, 2025 n/a
CVE-2025-26376 A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to modify user data via crafted HTTP requests. -- Feb 12, 2025 n/a
CVE-2025-26375 A CWE-862 Missing Authorization in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests. -- Feb 12, 2025 n/a
CVE-2025-26374 A CWE-862 Missing Authorization in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. -- Feb 12, 2025 n/a
CVE-2025-26373 A CWE-862 Missing Authorization in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. -- Feb 12, 2025 n/a
CVE-2025-26372 A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests. -- Feb 12, 2025 n/a
CVE-2025-26371 A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests. -- Feb 12, 2025 n/a
CVE-2025-26370 A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests. -- Feb 12, 2025 n/a
CVE-2025-26369 A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests. -- Feb 12, 2025 n/a
CVE-2025-26368 A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests. -- Feb 12, 2025 n/a
CVE-2025-26367 A CWE-862 Missing Authorization in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests. -- Feb 12, 2025 n/a
CVE-2025-26366 A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests. -- Feb 12, 2025 n/a
CVE-2025-26365 A CWE-306 Missing Authentication for Critical Function in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests. -- Feb 12, 2025 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online