Total
324463 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14823 | 1 Connectwise | 1 Screenconnect | 2025-12-19 | 5.3 Medium |
| In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components. | ||||
| CVE-2025-12380 | 1 Mozilla | 1 Firefox | 2025-12-19 | 9.8 Critical |
| Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox. This vulnerability affects Firefox < 144.0.2. | ||||
| CVE-2025-53710 | 1 Palantir | 2 Foundry, Foundry Container Service | 2025-12-19 | 7.5 High |
| Due to a product misconfiguration in certain deployment types, it was possible from different pods in the same namespace to communicate with each other. This issue resulted in bypass of access control due to the presence of a vulnerable endpoint in Foundry Container Service that executed user-controlled commands locally. | ||||
| CVE-2025-14896 | 2025-12-19 | 7.5 High | ||
| due to insufficient sanitazation in Vega’s `convert()` function when `safeMode` is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitive information. | ||||
| CVE-2025-14884 | 1 D-link | 1 Dir-605 | 2025-12-19 | 7.2 High |
| A vulnerability was detected in D-Link DIR-605 202WWB03. Affected by this issue is some unknown functionality of the component Firmware Update Service. Performing manipulation results in command injection. The attack can be initiated remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-14850 | 1 Advantech | 1 Webaccess/scada | 2025-12-19 | 8.1 High |
| Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to delete arbitrary files. | ||||
| CVE-2025-14849 | 1 Advantech | 1 Webaccess/scada | 2025-12-19 | 8.8 High |
| Advantech WebAccess/SCADA is vulnerable to unrestricted file upload, which may allow an attacker to remotely execute arbitrary code. | ||||
| CVE-2025-14848 | 1 Advantech | 1 Webaccess/scada | 2025-12-19 | 4.3 Medium |
| Advantech WebAccess/SCADA is vulnerable to absolute directory traversal, which may allow an attacker to determine the existence of arbitrary files. | ||||
| CVE-2025-14739 | 1 Tp-link | 4 Tl-wr940n, Tl-wr941nd, Wr940n and 1 more | 2025-12-19 | N/A |
| Access of Uninitialized Pointer vulnerability in TP-Link WR940N and WR941ND allows local unauthenticated attackers the ability to execute DoS attack and potentially arbitrary code execution under the context of the ‘root’ user.This issue affects WR940N and WR941ND: ≤ WR940N v5 3.20.1 Build 200316, ≤ WR941ND v6 3.16.9 Build 151203. | ||||
| CVE-2025-14738 | 1 Tp-link | 1 Tl-wa850re | 2025-12-19 | N/A |
| Improper authentication vulnerability in TP-Link WA850RE (httpd modules) allows unauthenticated attackers to download the configuration file.This issue affects: ≤ WA850RE V2_160527, ≤ WA850RE V3_160922. | ||||
| CVE-2025-64355 | 2 Crocoblock, Wordpress | 2 Jetelements For Elementor, Wordpress | 2025-12-19 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through 2.7.12. | ||||
| CVE-2025-64235 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 6.5 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Tuturn allows Path Traversal.This issue affects Tuturn: from n/a before 3.6. | ||||
| CVE-2025-63391 | 1 Open-webui | 1 Open-webui | 2025-12-19 | 7.5 High |
| An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers. | ||||
| CVE-2025-62002 | 2025-12-19 | 4.3 Medium | ||
| BullWall Ransomware Containment relies on the number of file modifications to trigger detection. An authenticated attacker could encrypt a single large file without triggering a detection alert. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected. | ||||
| CVE-2025-62000 | 2025-12-19 | 7.1 High | ||
| BullWall Ransomware Containment does not entirely inspect a file to determine if it is ransomware. An authenticated attacker could bypass detection by encrypting a file and leaving the first four bytes unaltered. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected. | ||||
| CVE-2025-64724 | 2 Apple, Arduino | 2 Macos, Arduino | 2025-12-19 | N/A |
| Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user's privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release. | ||||
| CVE-2025-68278 | 1 Tina | 1 Tinacms | 2025-12-19 | N/A |
| Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 contain a fix for the issue. | ||||
| CVE-2025-64282 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in RadiusTheme Radius Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Radius Blocks: from n/a through 2.2.1. | ||||
| CVE-2025-62961 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 5.4 Medium |
| Missing Authorization vulnerability in Sparkle WP Sparkle FSE allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sparkle FSE: from n/a through 1.0.9. | ||||
| CVE-2025-62998 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 5 Medium |
| Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot allows Retrieve Embedded Sensitive Data.This issue affects WP AI CoPilot: from n/a through 1.2.7. | ||||