Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-4567
Post Slider and Carousel with Widget < 3.2.10 - Admin+ Stored XSS
Description: The Post Slider and Post Carousel with Post Vertical Scrolling Widget WordPress plugin before 3.2.10 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: CVE
June 3rd, 2025 (6 days ago)

CVE-2025-3662
FancyBox for WordPress < 3.3.6 - Unauthenticated Stored XSS
Description: The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS

CVSS: MEDIUM (6.1)

EPSS Score: 0.03%

Source: CVE
June 3rd, 2025 (6 days ago)

CVE-2025-3584
Newsletter < 8.8.2 - Admin+ Stored XSS via Subscription
Description: The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: CVE
June 3rd, 2025 (6 days ago)
[github.com/forceu/gokapi] Gokapi has stored XSS vulnerability in friendly name for API keys
Description: Impact By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. With the affected versions Patches This CVE has been fixed in v2.0.0 Workarounds If you are the only authenticated user using Gokapi, you are not affected. A workaround would be to not open the API page if you suspect that another user might have injected code. References https://github.com/Forceu/Gokapi/security/advisories/GHSA-4xg4-54hm-9j77 https://nvd.nist.gov/vuln/detail/CVE-2025-48495 https://github.com/Forceu/Gokapi/commit/65ddbc68fbfdf1c80cadb477f4bcbb7f2c4fdbf8 https://github.com/advisories/GHSA-4xg4-54hm-9j77

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: Github Advisory Database (Go)
June 3rd, 2025 (6 days ago)
[github.com/forceu/gokapi] Gokapi vulnerable to stored XSS via uploading file with malicious file name
Description: Impact When using end-to-end encryption, a stored XSS vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens the upload list, the script is then parsed. With the affected versions Patches This CVE has been fixed in v2.0.0 Workarounds If you are the only authenticated user using Gokapi, you are not affected. A workaround would be to disable end-to-end encryption. References https://github.com/Forceu/Gokapi/security/advisories/GHSA-95rc-wc32-gm53 https://nvd.nist.gov/vuln/detail/CVE-2025-48494 https://github.com/Forceu/Gokapi/commit/343cc566cfd7f4efcd522c92371561d494aed6b0 https://github.com/Forceu/Gokapi/releases/tag/v2.0.0 https://github.com/advisories/GHSA-95rc-wc32-gm53

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: Github Advisory Database (Go)
June 3rd, 2025 (6 days ago)

CVE-2025-31712
In cplog service, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with no...
Description: In cplog service, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with no additional execution privileges needed.

CVSS: MEDIUM (5.1)

EPSS Score: 0.02%

Source: CVE
June 3rd, 2025 (6 days ago)

CVE-2025-31711
In cplog service, there is a possible system crash due to null pointer dereference. This could lead to local denial of service with no additional...
Description: In cplog service, there is a possible system crash due to null pointer dereference. This could lead to local denial of service with no additional execution privileges needed.

CVSS: MEDIUM (5.1)

EPSS Score: 0.02%

Source: CVE
June 3rd, 2025 (6 days ago)

CVE-2025-31710
In engineermode service, there is a possible command injection due to improper input validation. This could lead to local escalation of privilege...
Description: In engineermode service, there is a possible command injection due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed.

CVSS: MEDIUM (5.9)

EPSS Score: 0.76%

Source: CVE
June 3rd, 2025 (6 days ago)

CVE-2024-53018
Time-of-check Time-of-use (TOCTOU) Race Condition in Camera Driver
Description: Memory corruption may occur while processing the OIS packet parser.

CVSS: MEDIUM (6.6)

EPSS Score: 0.01%

Source: CVE
June 3rd, 2025 (6 days ago)

CVE-2024-53017
Use of Out-of-range Pointer Offset in Camera Driver
Description: Memory corruption while handling test pattern generator IOCTL command.

CVSS: MEDIUM (6.6)

EPSS Score: 0.02%

Source: CVE
June 3rd, 2025 (6 days ago)