Latest Security Vulnerabilities

Saturday November 29, 2025

Openprinting Cups

CVE-2025-61915 CUPS <2.4.15: Config Injection OOB via Web UI
CVE-2025-58436 OpenPrinting CUPS DoS via Slow Messages prior to v2.4.15

CVE-2025-66221 Werkzeug 3.1.4 Fix Blocks Windows Device Name Injection via safe_join
CVE-2025-65892 krpano <1.23.2 rXSS via passQueryParameters xml param
CVE-2025-53896 Kiteworks MFT Session Timeout Bypass <9.1.0
CVE-2025-53899 Kiteworks MFT <9.1.0: Privilege Escalation via Destination Misconfig
CVE-2025-53939 Kiteworks PDN role mgmt privilege escalation via shared folder before v9.1.0
CVE-2025-66034 fontTools 4.33.0<4.60.2 varLib Arbitrary File Write RCE
CVE-2025-65540 Xmall v1.1 XSS via unsanitized username/description fields
CVE-2025-66036 XSS in Retro input handling before v2.4.7, fixed in 2.4.7
CVE-2025-66201 Auth-SSRF via Actions in LibreChat before v0.8.1-rc2
And others...

Cilium

CVE-2025-64715 Cilium eBPF egress SG ID bug: unintended outbound (1.16-1.18)

Orangehrm

CVE-2025-66291 OrangeHRM 5.0-5.7 Auth Bypass in Interview Attachments (CVE-2025-66291)
CVE-2025-66289 OrangeHRM 5.0-5.7 Session Revocation Failure (CVE-2025-66289)
CVE-2025-66224 OS Command Injection via Mail Config in OrangeHRM 5.0-5.7
CVE-2025-66290 OrangeHRM 5.0-5.7: ESS Users Can Download Candidate Attachments (Auth Bypass)
CVE-2025-66225 OrangeHRM 5.0-5.7 PW Reset Bypass Lets Attacker Takeover Accounts

Macwarrior

CVE-2025-65113 ClipBucket 5 X-Flagging Auth Bypass (v5 <5.5.2)

Openobserve

CVE-2025-66223 OpenObserve org invitation tokens never expire before 0.16.0

Friday November 28, 2025

Huawei Harmonyos

CVE-2025-64313 MS Office DoS via Office Service
CVE-2025-58303 UAF in Apple Screen Recording Framework Module
CVE-2025-58307 Apple ScreenRecording.framework UAF in Module (Availability)
CVE-2025-64311 Microsoft Notepad Module Permission Control Vulnerability
CVE-2025-58305 Gallery App Auth Bypass: Identity Bypass CVE-2025-58305
CVE-2025-58311 USB Driver Module UAF Vulnerability
CVE-2025-58312 CVE-2025-58312: App Lock permission control flaw
CVE-2025-64314 Permission Control Flaw in Mem-Mgr Module - CVE-2025-64314
CVE-2025-58316 DoS in Unknown Video-Related System Service Module
And others...

Unclassified

Hcl Unica

CVE-2025-51733 HCL Unica 12.0.0 CSRF Vulnerability
CVE-2025-51735 CSV Formula Injection in HCL Unica 12.0.0
CVE-2025-51734 XSS in HCL Unica 12.0.0 (UI)
CVE-2025-51736 File Upload Vulnerability in HCL Unica 12.0.0

Misp

CVE-2025-66384 MISP <2.5.24 EventsController tmp_name file validity flaw
CVE-2025-66386 MISP <=2.5.27 path traversal EventReport.php site-admin

Nextendweb

CVE-2025-13737 CSRF in Nextend Social Login 3.1.21 via unlinkUser nonce missing

Libexpatproject Libexpat

CVE-2025-66382 Denial of Service via Oversized XML in libexpat <= 2.7.3 (CVE-2025-66382)

Devolutions Remote Desktop Manager

CVE-2025-13683 Devolutions Server/Remote Desktop Manager Credential Leak 2025.3.8/2025.3.23

Abb Terra Ac Wallbox

CVE-2025-12143 ABB Terra AC Wallbox Buffer Overflow (<=1.8.33)

Netskope

CVE-2025-11156 Netskope NS Client Windows Driver Abuse Triggers BSOD DoS

Apache Kvrocks

CVE-2025-59790 Apache Kvrocks 2.9.02.13.0 Improper Privilege Management (Fixed 2.14.0)
CVE-2025-59792 Apache Kvrocks 1.0.02.13.0 MONITOR plaintext creds leak (CVE202559792)

Cerebrate Project Cerebrate

CVE-2025-66385 Cerebrate <1.30: Auth ND Priv Esc via UsersCtrl::edit (role_id/org_id)

Thursday November 27, 2025

Open Xchange Ox App Suite

CVE-2025-30190 Office Doc Scripting Injection Vulnerability (CVE-2025-30190)
CVE-2025-59025 Email XSS: Malicious Script Execution via Sanitization Bypass
CVE-2025-59026 File Upload XSS: Malicious Content Triggers Script Execution in User Context
CVE-2025-30186 CVE-2025-30186: File Upload XSS Causing Script Execution

Unclassified

Anyscale Ray

CVE-2025-34351 Anyscale Ray 2.52.0: Default Auth Disabled, Unauthenticated Remote Code Exec

CyberArk

CVE-2025-13762 CVE-2025-13762: CYBERARK SWS EXTENSION<2.2.30305 IMP INPUT VAL DOS

Qodeinteractive

CVE-2025-13157 QODE Wishlist WP Plugin <=1.2.7 IDOR via wishlist_item_callback

MatterMost

CVE-2025-12421 Mattermost <=11.0.2 Auth Flow Token Origin Verification Flaw (SSO Code Exchange)
CVE-2025-12419 Mattermost OAuth State Validation Flaw, Account Takeover in 10.x and 11.0.x
CVE-2025-12559 Mattermost 10.x-11.x: Email Addresses Exposed via /api/v4/channels Endpoint

Logpoint Siem

CVE-2025-66359 Logpoint <7.7.0 XSS via Insufficient Input Validation in Multiple Components
CVE-2025-66360 Logpoint <=7.6 Privilege Escalation via Misconfigured ACL Exposes Redis Data
CVE-2025-66361 Logpoint <7.7.0 Sensitive Info Leak in System Processes (High CPU)

Blubrry Powerpress

CVE-2025-13536 PowerPress <=11.15.2 Arbitrary File Upload via Insufficient Extension Validation

Shapedplugin

CVE-2025-12584 Quick View for WooCommerce <=2.2.17 InfoExposure via AJAX

Eaton

CVE-2025-59890 Eaton Galileo Path Traversal via Archive Upload

Devolutions Server

CVE-2025-13757 SQL Injection in Devolutions Server before 2025.3.8
CVE-2025-13758 Devolutions Server <=2025.3.8 Creds Exposure via Unintended Requests
CVE-2025-13765 Devolutions Server <2025.2.21 & <2025.3.9: Non-Admin Credential Exposure

Thingsboard

CVE-2025-3261 ThingsBoard Stored XSS via SVG upload in Image Gallery before v4.2.1

Ays Pro

CVE-2025-13378 AYS WordPress Plugin (2.7.0) SSRF via ays_chatgpt_pinecone_upsert
CVE-2025-13381 WP AYS ChatGPT Plugin: Auth Bypass on ays_chatgpt_save_wp_media (2.7.0)

Apache CloudStack

CVE-2025-59302 Apache CloudStack 4.18-4.20.1/4.21-4.21.9: Code Injection via Admin APIs
CVE-2025-59454 Access Control Gap in Apache CloudStack 4.20.2.0 APIs

Automatedlogic Zone Controllers

CVE-2025-0658 Zone Controller BACnet Crash Permanent Fault (CVE-2025-0658)

Carrier

CVE-2024-5539 Access Control Bypass in ALC WebCTRL & Carrier iVu <=8.5
CVE-2025-0657 Automated Logic i-Vu Gen5 Driver: Malformed BACnet MS/TP Causes Fault
CVE-2024-5540 ALC WebCTRL & Carrier iVu <8.0 XSS in login panels

Zte

CVE-2025-66314 CVE-2025-66314: Priv Escalation via ACL Bypass in ZTE ElasticNet UME R32 v16.23.20.04

Mitsubishielectric Gx Works2

CVE-2025-3784 GX Works2 Cleartext Storage of Credentials in Project Files

Presstigers

CVE-2025-12151 WordPress Simple Folio <=1.1.0 Stored XSS (portfolio_name)

Elated Themes

CVE-2025-13539 FindAll Membership v1.0.4 Authentication Bypass via FB/Google User Check
CVE-2025-13538 FindAll Listing Plugin <=1.0.5 Priv Escalation via Unrestricted Role Reg

Era404

CVE-2025-12185 WordPress StaffList <=3.2.6 Stored XSS via Admin Settings

Apache

CVE-2025-54057 Apache SkyWalking <=10.2.0 XSS Vulnerability in Web Page Rendering

Wednesday November 26, 2025

GitLab

CVE-2025-12571 GitLab CE/EE Denial of Service via Malicious JSON (Unauthenticated Exploit)
CVE-2025-13611 GitLab CE/EE Log Auth Token Leak (v13.2-18.4.5, 18.5-18.5.3, 18.6-18.6.1)
CVE-2025-12653 GitLab CE/EE Unauth Org Join via Header Manipulation (pre18.6.1)
CVE-2025-7449 GitLab CE/EE DoS via HTTP response (auth) pre-18.4.5/18.5.3/18.6.1
CVE-2025-6195 Info Disclosure via Security Reports in GitLab EE pre-18.4.5/18.5.3/18.6.1

Angular

CVE-2025-66035 Angular XSRF Leakage via Protocol-Relative URLs (19.2.15/20.3.13/21.0.0)

Wireshark

CVE-2025-13674 Wireshark 4.6.0 BPv7 dissector DoS crash

Red Hat Enterprise Linux (RHEL)

CVE-2025-13601 Glib Heap Buffer Overflow in g_escape_uri_string()

Ubuntu

CVE-2025-2486 Ubuntu edk2 UEFI: Secure Boot Bypass via Shell (2024.05-2ubuntu0.3)

Microsoft Azure App Gateway

CVE-2025-64656 Nov 2025: Azure Application Gateway Elevation of Privilege Vulnerability
CVE-2025-64657 Nov 2025: Azure Application Gateway Elevation of Privilege Vulnerability

Unclassified

Splunk

CVE-2025-20373 Plain Text Client Secrets in Splunk Addon for Palo Alto Networks <2.0.2

Kde

CVE-2025-59820 Krita <5.2.13 TGA Img Import Heap Buf Overflow
CVE-2025-55174 KDE Skanpage<25.08.0 File Overwrite via QIODevice::ReadWrite

Digitalbazaar Forge

CVE-2025-66031 Uncontrolled Recursion DoS in node-forge <1.3.2 (ASN.1 Parsing)
CVE-2025-66030 Integer Overflow in node-forge 1.3.1 Enables OID Bypass

Apache Hive

CVE-2025-62728 SQLi via Thrift API in Apache Hive Metastore Server <4.2.0

Drupal

CVE-2025-12848 CVE-2025-12848: Drupal Webform MF Module XSS via Malicious Filename

OWASP

CVE-2025-66021 OWASP Java HTML Sanitizer XSS via noscript/style before 20240325.1

Apache Druid

CVE-2025-59390 Apache Druid Kerberos Fallback Cookie Secret Weakness (CVE-2025-59390)

Favethemes Houzez

CVE-2025-9163 Houzez Theme <=4.1.6: Stored XSS via SVG Uploads (houzez_property_img_upload)
CVE-2025-9191 WordPress Houzez Theme <=4.1.6 PHP Object Injection via saved-search-item.php

Red Hat Openstack

CVE-2021-4472 OpenStack Mistral-Dashboard LFI via Create Workbook

Oisf Suricata

CVE-2025-64335 NULL DEREF in Suricata 8.0.0-8.0.1 (entropy+base64_data)
CVE-2025-64333 Suricata <7.0.13/8.0.2 Stack Overflow via Large HTTP Content Type
CVE-2025-64332 Suricata <7.0.13 or 8.0.2 SWF Decompression Stack Overflow Crash
CVE-2025-64330 Suricata < 7.0.13 / 8.0.2 Heap Overflow in eve.alert Logging
CVE-2025-64344 Suricata Stack Overflow via Lua Buffers (vulnerable <7.0.13/8.0.2)
CVE-2025-64334 Suricata 8.0.1 Unbounded Mem Growth via LZMA HTTP Decompression
CVE-2025-64331 Suricata HTTP Body Overflow (7.0.12, 8.0.1)

Redaxo

CVE-2025-66026 REDAXO <=5.20.0 Reflected XSS in Mediapool view (args[types])

Ruoyi

CVE-2025-46174 Ruoyi 4.8.0 Incorrect Access Control in SysUserController resetPwd
CVE-2025-56396 Ruoyi 4.8.1 Privilege Escalation via Department Rights (CVE-2025-56396)
CVE-2025-46175 Ruoyi v4.8.0 SysUserController Access Control Flaw (Missing checkUserDataScope)

Frappe Crm

CVE-2025-11461 SQLi in Frappe CRM 1.53.1 Dashboard Controller via unsafe concat

Zenitel

CVE-2025-64130 Zenitel TCIV-3+ Reflected XSS Allows Remote JS Execution
CVE-2025-64127 Unidentified Product OS Command Injection (CVE-2025-64127)
CVE-2025-64128 OS Command Injection: Weak Input Validation (CVE-2025-64128)
CVE-2025-64129 TCIV-3+ OOB Write Allows Remote Crash Zenitel

Opto22 Groov View Server

CVE-2025-13084 groov View API Users Endpoint Leaks All User API Keys