| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Greenshift WordPress plugin before 5.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. |
| Auth. (author+) Cross-Site Scripting (XSS) vulnerability in Wpsoul Greenshift – animation and page builder blocks plugin <= 4.9.9 versions. |
| The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'gspb_save_files' function in versions up to, and including, 7.6.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. |
| An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.
Exposed ”com.pri.applock.LockUI“ activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting CVE-2024-13916) or ask the user to provide it.
Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability.
Application update was released in April 2025. |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. |
| SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.
Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue. |
| Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.
Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue. |
| Android based smartphones from vendors such as Ulefone and Krüger&Matz contain "com.pri.factorytest" application preloaded onto devices during manufacturing process.
The application "com.pri.factorytest" (version name: 1.0, version code: 1) exposes a ”com.pri.factorytest.emmc.FactoryResetService“ service allowing any application to perform a factory reset of the device.
Application update did not increment the APK version. Instead, it was bundled in OS builds released later than December 2024 (Ulefone) and April 2025 (Krüger&Matz). |
| A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: '../filedir'. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.1.3 Build 2025-05-26-1605 is able to address this issue. It is recommended to upgrade the affected component. |
| CWE-287: Improper Authentication vulnerability exists which could cause the execution of
commands on the webserver without authentication when sending specially crafted HTTP
requests. |
| Not used |
| Buffer Overflow vulnerability in the get_var_integer function in mqtt_parser.c in NanoMQ 0.21.7 allows remote attackers to cause a denial of service via a series of specially crafted hexstreams. |
| Null Pointer Dereference vulnerability in topic_filtern function in mqtt_parser.c in NanoMQ 0.21.7 allows attackers to cause a denial of service. |
| Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp. |
| SQL injection vulnerability in f-logic datacube3 v.1.0 allows a remote attacker to obtain sensitive information via the req_id parameter. |
| A heap-buffer-overflow vulnerability in the read_byte function in NanoMQ v.0.21.7 allows attackers to cause a denial of service via transmission of crafted hexstreams. |
| The MM-email2image WordPress plugin through 0.2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks |
| Cross Site Scripting (XSS) vulnerability in Typora v.1.6.7 and before, allows a local attacker to obtain sensitive information via a crafted script during markdown file creation. |
| An issue in Typora v.1.8.10 and before, allows a local attacker to obtain sensitive information and execute arbitrary code via a crafted payload to the src component. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 5.7.
|
