Lista CVE - 2025 / Ottobre
Visualizzazione 2401 - 2500 di 4280 CVE per Ottobre 2025 (Pagina 25 di 43)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2025-48044 | 2025-10-17 | Authorization bypass when bypass policy condition evaluates to true |
| CVE-2025-11902 | 2025-10-17 | yanyutao0402 ChanCMS findField sql injection |
| CVE-2025-11903 | 2025-10-17 | yanyutao0402 ChanCMS update sql injection |
| CVE-2025-48087 | 2025-10-17 | WordPress Memberlite Shortcodes plugin <= 1.4.1 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-55085 | 2025-10-17 | Web http client: Unchecked Server-Side Malicious Packet Issue |
| CVE-2025-11904 | 2025-10-17 | yanyutao0402 ChanCMS hasUse sql injection |
| CVE-2025-49655 | 2025-10-17 | Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper... |
| CVE-2025-62353 | 2025-10-17 | A path traversal vulnerability in all versions of the Windsurf IDE enables a threat actor to read and write arbitrary local files in and outside of current projects on an... |
| CVE-2025-26625 | 2025-10-17 | Git LFS may write to arbitrary files via crafted symlinks |
| CVE-2025-11905 | 2025-10-17 | yanyutao0402 ChanCMS gather.js getArticle code injection |
| CVE-2025-62356 | 2025-10-17 | A path traversal vulnerability in all versions of the Qodo Qodo Gen IDE enables a threat actor to read arbitrary local files in and outside of current projects on an... |
| CVE-2025-58747 | 2025-10-17 | Dify MCP OAuth Flow Vulnerable to XSS |
| CVE-2025-8414 | 2025-10-17 | Zigbee Green Power Host Buffer Overflow Vulnerability |
| CVE-2025-59043 | 2025-10-17 | OpenBao vulnerable to denial of service via malicious JSON request processing |
| CVE-2025-62168 | 2025-10-17 | Squid vulnerable to information disclosure via authentication credential leakage in error handling |
| CVE-2025-62171 | 2025-10-17 | ImageMagick vulnerable to denial of service via integer overflow in BMP decoder on 32-bit systems |
| CVE-2025-62422 | 2025-10-17 | DataEase SQL injection vulnerability |
| CVE-2025-62421 | 2025-10-17 | DataEase vulnerable to stored cross-site scripting via file upload bypass |
| CVE-2025-62420 | 2025-10-17 | DataEase vulnerable to remote code execution via H2 JDBC driver bypass |
| CVE-2025-62419 | 2025-10-17 | DataEase vulnerable to JDBC URL injection in DB2 and MongoDB data source configuration |
| CVE-2025-62424 | 2025-10-17 | ClipBucket path traversal vulnerability in template editor allows arbitrary file read and write |
| CVE-2025-62430 | 2025-10-17 | ClipBucket v5 stored XSS via video/photo fields |
| CVE-2025-62505 | 2025-10-17 | SSRF in lobehub/lobe-chat with native web fetch module |
| CVE-2025-11908 | 2025-10-17 | Shenzhen Ruiming Technology Streamax Crocus FileDir.do uploadFile unrestricted upload |
| CVE-2025-11909 | 2025-10-17 | Shenzhen Ruiming Technology Streamax Crocus RepairRecord.do queryLast sql injection |
| CVE-2025-34281 | 2025-10-17 | ThingsBoard < v4.2.1 SVG Image Stored XSS |
| CVE-2025-34282 | 2025-10-17 | ThingsBoard < v4.2.1 SVG Image SSRF |
| CVE-2025-11910 | 2025-10-17 | Shenzhen Ruiming Technology Streamax Crocus MemoryState.do query sql injection |
| CVE-2025-11911 | 2025-10-17 | Shenzhen Ruiming Technology Streamax Crocus DeviceFault.do Query sql injection |
| CVE-2025-62511 | 2025-10-17 | yt-grabber-tui local arbitrary file overwrite via TOCTOU race in config file creation |
| CVE-2025-11925 | 2025-10-17 | Incorrect Content-Type Header |
| CVE-2025-11912 | 2025-10-17 | Shenzhen Ruiming Technology Streamax Crocus DeviceState.do Query sql injection |
| CVE-2025-11913 | 2025-10-17 | Shenzhen Ruiming Technology Streamax Crocus Service.do download path traversal |
| CVE-2025-62508 | 2025-10-17 | Citizen vulnerable to stored XSS in sticky header button messages |
| CVE-2025-11914 | 2025-10-17 | Shenzhen Ruiming Technology Streamax Crocus DeviceFileReport.do download path traversal |
| CVE-2025-62515 | 2025-10-17 | Remote Code Execution by Pickle Deserialization via FlightServer in pyquokka |
| CVE-2025-62652 | 2025-10-17 | Stored XSS in WebAuthn key name |
| CVE-2025-62653 | 2025-10-17 | Stored XSS through system messages in PollNY |
| CVE-2025-62654 | 2025-10-17 | Stored XSS through system messages in QuizGame |
| CVE-2025-62655 | 2025-10-17 | SQL injection in Cargo via Special:CargoExport |
| CVE-2025-11378 | 2025-10-18 | ShortPixel Image Optimizer <= 6.3.4 - Authenticated (Contributor+) Settings Import/Export |
| CVE-2020-36853 | 2025-10-18 | 10WebMapBuilder <= 1.0.63 - Unauthenticated Stored Cross-Site Scripting via Plugin Settings Change |
| CVE-2017-20206 | 2025-10-18 | Appointments <= 2.2.1 - Unauthenticated PHP Object Injection |
| CVE-2020-36854 | 2025-10-18 | Async JavaScript <= 2.19.07.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting |
| CVE-2017-20207 | 2025-10-18 | Flickr Gallery <= 1.5.2 - Unauthenticated PHP Object Injection |
| CVE-2017-20208 | 2025-10-18 | RegistrationMagic - Custom Registration Forms <= 3.7.9.2 - PHP Object Injection |
| CVE-2025-62665 | 2025-10-18 | Stored XSS through system messages in Skin:BlueSky |
| CVE-2025-62664 | 2025-10-18 | Stored XSS through a system message in ImageRating |
| CVE-2025-62663 | 2025-10-18 | Stored XSS through a system message in UploadWizard |
| CVE-2025-62662 | 2025-10-18 | Stored XSS through system messages in AdvancedSearch |
| CVE-2025-62671 | 2025-10-18 | Stored XSS through wikitext in Cargo |
| CVE-2025-11361 | 2025-10-18 | Essential Blocks <= 5.7.1 - Authenticated (Author+) Server-Side Request Forgery |
| CVE-2025-62670 | 2025-10-18 | Stored XSS through a system message in FlexDiagrams |
| CVE-2025-62669 | 2025-10-18 | UserInfoCard: activeLocalBlocksAllWikis does not do permissions checks |
| CVE-2025-62668 | 2025-10-18 | Insufficient permission checks in action=growthsetmentor |
| CVE-2025-62667 | 2025-10-18 | Stored XSS through article extracts in GrowthExperiments |
| CVE-2025-62666 | 2025-10-18 | DoS vector through the cirrusbuilddoc query API |
| CVE-2025-11937 | 2025-10-18 | Stored XSS through a system message in SecurePoll |
| CVE-2025-11738 | 2025-10-18 | Media Library Assistant <= 3.29 - Unauthenticated Limited File Read |
| CVE-2025-11857 | 2025-10-18 | XX2WP Integration Tools <= 1.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-11742 | 2025-10-18 | WPC Smart Wishlist for WooCommerce <= 5.0.4 - Missing Authorization to Authenticated (Subscriber+) Information Exposure |
| CVE-2025-11517 | 2025-10-18 | Event Tickets and Registration <= 5.26.5 - Unauthenticated Ticket Payment Bypass |
| CVE-2025-11741 | 2025-10-18 | WPC Smart Quick View for WooCommerce <= 4.2.5 - Insecure Direct Object Reference to Unauthenticated Private Product Exposure |
| CVE-2025-10187 | 2025-10-18 | GSpeech TTS – WordPress Text To Speech Plugin <= 3.17.13 - Authenticated (Admin+) SQL injection |
| CVE-2025-10006 | 2025-10-18 | WPBakery Page Builder <= 8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-11703 | 2025-10-18 | WP Go Maps (formerly WP Google Maps) <= 9.0.48 - Unauthenticated Cache Poisoning |
| CVE-2025-9562 | 2025-10-18 | Redirection for Contact Form 7 <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via qs_date Shortcode |
| CVE-2025-11510 | 2025-10-18 | FileBird <= 6.4.9 - Improper Authorization to Authenticated (Author+) Settings Reset |
| CVE-2025-11519 | 2025-10-18 | Image optimization service by Optimole <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload |
| CVE-2025-11270 | 2025-10-18 | Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns <= 5.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-11391 | 2025-10-18 | PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated Arbitrary File Upload |
| CVE-2025-11372 | 2025-10-18 | LearnPress – WordPress LMS Plugin <= 4.2.9.3 - Missing Authorization to Unauthenticated Database Table Manipulation |
| CVE-2025-11691 | 2025-10-18 | PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated SQL Injection |
| CVE-2025-11256 | 2025-10-18 | Kognetiks Chatbot <= 2.3.5 - Missing Authorization to Unauthenticated Limited File Uploads and Conversation Erasing |
| CVE-2025-10750 | 2025-10-18 | PowerBI Embed Reports <= 1.2.0 - Unauthenticated Sensitive Information Disclosure |
| CVE-2025-5555 | 2025-10-18 | Nixdorf Wincor PORT IO Driver IOCTL wnport.sys sub_11100 stack-based overflow |
| CVE-2025-40001 | 2025-10-18 | scsi: mvsas: Fix use-after-free bugs in mvs_work_queue |
| CVE-2025-40002 | 2025-10-18 | thunderbolt: Fix use-after-free in tb_dp_dprx_work |
| CVE-2025-40003 | 2025-10-18 | net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work |
| CVE-2025-9890 | 2025-10-18 | Theme Editor <= 3.0 - Cross-Site Request Forgery to Remote Code Execution |
| CVE-2025-11926 | 2025-10-18 | Related Posts Lite <= 1.12 - Authenticated (Admin+) Stored Cross-Site Scripting |
| CVE-2025-47410 | 2025-10-18 | Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system |
| CVE-2025-62672 | 2025-10-19 | rplay through 3.3.2 allows attackers to cause a denial of service (SIGSEGV and daemon crash) or possibly have unspecified other impact. This occurs in memcpy in the RPLAY_DATA case in... |
| CVE-2025-11938 | 2025-10-19 | ChurchCRM setup.php deserialization |
| CVE-2025-11939 | 2025-10-19 | ChurchCRM Backup Restore RestoreJob.php path traversal |
| CVE-2025-11940 | 2025-10-19 | LibreWolf Installer setup.nsi uncontrolled search path |
| CVE-2025-11941 | 2025-10-19 | e107 CMS Avatar image.php path traversal |
| CVE-2025-11942 | 2025-10-19 | 70mai X200 Pairing missing authentication |
| CVE-2025-11943 | 2025-10-19 | 70mai X200 HTTP Web Server default credentials |
| CVE-2025-11944 | 2025-10-19 | givanz Vvveb Raw SQL import.php import sql injection |
| CVE-2025-11945 | 2025-10-19 | toeverything AFFiNE Avatar Upload Image Endpoint cross site scripting |
| CVE-2025-11946 | 2025-10-19 | LogicalDOC Community Edition Add Contact frontend.jsp cross site scripting |
| CVE-2025-11947 | 2025-10-19 | bftpd Configuration File options.c expand_groups heap-based overflow |
| CVE-2024-55568 | 2025-10-20 | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123,... |
| CVE-2025-26781 | 2025-10-20 | An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 9110, W920, W930, Modem 5123,... |
| CVE-2025-26782 | 2025-10-20 | An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 9110, W920, W930, Modem 5123,... |
| CVE-2025-48025 | 2025-10-20 | In Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000, there is an improper access control vulnerability related to a log... |
| CVE-2025-54764 | 2025-10-20 | Mbed TLS before 3.6.5 allows a local timing attack against certain RSA operations, and direct calls to mbedtls_mpi_mod_inv or mbedtls_mpi_gcd. |
| CVE-2025-54957 | 2025-10-20 | An issue was discovered in Dolby UDC 4.5 through 4.13. A crash of the DD+ decoder process can occur when a malformed DD+ bitstream is processed. When Evolution data is... |
| CVE-2025-56219 | 2025-10-20 | Incorrect access control in SigningHub v8.6.8 allows attackers to arbitrarily add user accounts without any rate limiting. This can lead to a resource exhaustion and a Denial of Service (DoS)... |