Latest Security Vulnerabilities

Saturday November 22, 2025

 

Unclassified

CVE-2025-11186 WordPress Cookie Notice Plugin <=2.5.8 Stored XSS via cookies_accepted shortcode
CVE-2025-11456 ELEX WordPress HelpDesk ARFU v3.3.1
CVE-2025-11808 Stored XSS in WP Google Street View Plugin 'streetview' Shortcode v0.5.7
CVE-2025-10054 ELEX WP HelpDesk <=3.3.1: Unauthorized removal via elex_crm_remove_agent
CVE-2025-12935 FluentCRM WP Plugin Stored XSS via fluentcrm_content Shortcode <=2.9.84
CVE-2025-64310 BruteForce via Excessive Auth Attempts in EPSON WebConfig for SEIKO Projectors
CVE-2025-11802 WordPress Bulma Shortcodes v1.0 Stored XSS via type attr.
CVE-2025-12022 ELEX WP HelpDesk <=3.3.1 missing capability check lets Subscriber restore tickets
CVE-2025-12169 ELEX WP HelpDesk: AuthZ Bypass on wp_ajax_eh_crm_sched_empty (3.3.0)
And others...

Friday November 21, 2025

Linux Kernel

CVE-2025-40209 Linux Kernel Btrfs Mem Leak CVE-2025-40209
CVE-2025-40211 Linux Kernel ACPI Video Use-After-Free in switch_brightness()
CVE-2025-40210 Linux Kernel NFSd op-count overflow via NFSv4 COMPOUND

Apple iPadOS

CVE-2025-31216 Apple iOS/iPadOS WiFi Profile Override (fixed in 18.5)

Wolfssl

CVE-2025-11932 OpenSSL TLS1.3 PSK binder timing info leak (pre-3.2)
CVE-2025-12889 OpenSSL TLS1.2: Client Can Use Weak Digest in CertificateRequest
CVE-2025-12888 ESP32 X25519 Timing Side-Channel Vulnerability
CVE-2025-11933 wolfSSL 5.8.2 TLS1.3 CKS Extension Duplicate DoS via Input Validation
CVE-2025-11936 wolfSSL 5.8.2 TLS1.3 KeyShare DDOS CVE-2025-11936
CVE-2025-11935 TLS 1.3 PSK PFS Bypass CVE202511935
CVE-2025-11934 wolfSSL <=5.8.2: Improper TLS1.3 CertVerify SigAlg Negotiation (Downgrade)
CVE-2025-11931 wolfSSL XChaCha20-Poly1305 Integer Underflow OOB

GitLab

CVE-2025-9825 GitLab GraphQL API: Unauthorized View of CI/CD Vars (13.7-18.3.3, 18.4-18.4.1)

Wireshark

CVE-2025-13499 Wireshark 4.4-4.6 DoS via Kafka Dissector Crash

Wp Legal Pages Gdpr Cookie Consent

CVE-2025-66075 Missing Authorization in WP Cookie Notice for GDPR, CCPA & ePrivacy Consent <=4.0.3

Grafana Labs Grafana

CVE-2025-41115 Grafana SCIM Numeric externalId Vulnerability: ID Override and Impersonation

HashiCorp

CVE-2025-13357 Vault Terraform Provider LDAP DenyNullBind FALSE default before v5.5.0

Apple Safari

CVE-2025-13132 Safari Fullscreen API Abuse: No Fullscreen Notification Toast

AMD

CVE-2025-29934 AMD SEVSNP stale TLB bug allows admin to run guest
CVE-2025-62626 AMD CPU RDSEED Entropy Issue Enables Local Randomness Manipulation

Apple macOS

CVE-2025-31248 Directory Path Parsing CVE in macOS OS Fixed 13.7.3/15.5/14.7.3
CVE-2025-43374 Apple OS Kernel OOB Read via Bounds Check - Fixed in iOS 18.5
CVE-2025-31266 Safari 18.5 Domain Name Spoofing in Popup Titles

HashiCorp Terraform Enterprise

CVE-2025-13432 Terraform Enterprise state version privilege escalation (pre-1.1.1)

Tainacan

CVE-2025-12746 WP Tainacan 1.0.0 Reflected XSS via 'search' param
CVE-2025-12747 Information Exposure in Tainacan WP Plugin <=1.0.0 via Private File Leakage
 

Unclassified

CVE-2025-11186 WordPress Cookie Notice Plugin <=2.5.8 Stored XSS via cookies_accepted shortcode
CVE-2025-11456 ELEX WordPress HelpDesk ARFU v3.3.1
CVE-2025-11808 Stored XSS in WP Google Street View Plugin 'streetview' Shortcode v0.5.7
CVE-2025-10054 ELEX WP HelpDesk <=3.3.1: Unauthorized removal via elex_crm_remove_agent
CVE-2025-12935 FluentCRM WP Plugin Stored XSS via fluentcrm_content Shortcode <=2.9.84
CVE-2025-64310 BruteForce via Excessive Auth Attempts in EPSON WebConfig for SEIKO Projectors
CVE-2025-11802 WordPress Bulma Shortcodes v1.0 Stored XSS via type attr.
CVE-2025-12022 ELEX WP HelpDesk <=3.3.1 missing capability check lets Subscriber restore tickets
CVE-2025-12169 ELEX WP HelpDesk: AuthZ Bypass on wp_ajax_eh_crm_sched_empty (3.3.0)
And others...

Craig Hewitt Seriously Simple Podcasting

CVE-2025-66060 Missing Authorization in Seriously Simple Podcasting Plugin 3.13.0 CVE-2025-66060
CVE-2025-66061 CSRF in Seriously Simple Podcasting <=3.13.0
CVE-2025-66059 Seriously Simple Podcasting Sensitive Data Leak <=3.13.0

AMD Uprof

CVE-2025-48502 AMD uprof Local Privilege Escalation via MSR Overwrite

Amazon Aws

CVE-2025-13524 Audio Leak after Call Termination in AWS Wickr<6.62.13 (Windows/macOS/Linux)

Boldthemes Bold Page Builder

CVE-2025-66057 XSS in Bold Page Builder <=5.5.2

Sabuj Kundu Cbxwpbookmark

CVE-2025-66101 Missing Auth in CBX Bookmark & Favorite <=2.0.1

Thimpress Learnpress

CVE-2025-11368 LearnPress WP LMS Plugin 4.2.9.4 Sensitive Information Disclosure via REST API

Iqonicdesign Wpbookit

CVE-2025-12135 Stored XSS in WPBookit 1.0.6 via css_code (Unauth)

Kriesi Enfold

CVE-2025-66053 Enfold <=7.1.2 Stored XSS Vulnerability

Icegram Email Subscribers Newsletters

CVE-2025-66055 Icegram Email Subscribers & Newsletters <=5.9.10 Deserialization OI

Syed Balkhi Rafflepress

CVE-2025-66064 CSRF in Giveaways & Contests by RafflePress <=1.12.20 (Wordpress)

Envothemes Envo Extra

CVE-2025-66066 Envo Extra <=1.9.11 Stored XSS via envo-extra Component

Tychesoftwares Custom Order Numbers Woocommerce

CVE-2025-66071 Missing Auth in Custom Order Numbers for WooCommerce (<=1.11.0)

Cozmoslabs Wp Webhooks

CVE-2025-66073 Cozmoslabs WP Webhooks <=3.3.8: Deserializable Object Injection Vulnerability

Webtoffee Product Feed

CVE-2025-66089 Missing Auth on WebToffee Product Feed for WooCommerce (<=2.3.1)

Sonalsinha21 Skt Skill Bar

CVE-2025-66090 SKT Skill Bar <=2.5 DOM-Based XSS in skill-bar Component

Themeatelier Chat Help

CVE-2025-66099 Missing Auth in ThemeAtelier Chat Help 3.1.3

Wazuh

CVE-2025-64483 Wazuh API/Agent Config: Read-Only Users Leak Enrollment Credentials 4.12.9
CVE-2025-64169 Wazuh fim_alert Null Pointer Deref Causing Crash (v3.7.0-4.12.0)
CVE-2025-30201 NTLM Relay via Malicious UNC Paths in Wazuh Agent <4.13.0
CVE-2025-54866 Wazuh ACL Misconfig on authd.pass Exposed to Authenticated Users (4.3.04.12.x)

Espressif Esp Idf

CVE-2025-65092 ESP32-P4 JPEG HW Decoder OOB in ESP32-IDF 5.5.1/5.4.3/5.3.4

Pjsip

CVE-2025-65102 PJSIP Pre-2.16 Opus PLC Zero-Fill Causes Memory Overwrite

Langchain Ai Langchain

CVE-2025-65106 LangChain Prompt Template Injection 0.3.79-1.0.6 Enables Python Object Disclosure

Authzed Spicedb

CVE-2025-65111 SpiceDB Pre-1.47.1 LookupResources Missing Results via Self-Referential Union

Uncanny Owl Uncanny Automator

CVE-2025-66056 Unauth Control Sphere: Sensitive Data Exposure in Uncanny Automator <6.10.0

IBM Concert

CVE-2025-36149 IBM Concert Soft 1.0-2.0 Remote Click Hijacking Vulner
CVE-2025-36161 IBM Concert HSTS Misconfiguration Allowing Remote Info Exposure 1.0.0-2.0.0

Vllm

CVE-2025-62164 vLLM memory corruption in Completions API (0.10.20.11.1) DOS/RCE

Wpswings

CVE-2025-12086 Insecure DOR in Return Refund & Exchange For WooCommerce plugin <4.5.6
CVE-2025-12881 IDOR in WooCommerce Return Refund & Exchange Plugin <=4.5.5

Funnelkit Funnel Builder

CVE-2025-66067 DOM-Based XSS in FunnelKit Funnel Builder <=3.13.1.2

Themeisle Woocommerce Product Addon

CVE-2025-66069 Themeisle PPOM WP PlugIn: Missing Auth 33.0.16 and earlier

Stiofan Userswp

CVE-2025-66072 Missing Auth in Stiofan UsersWP <=1.2.47

Jegstudio Gutenverse Form

CVE-2025-66079 Missing Auth in Jegstudio's Gutenverse Form <=2.2.0

Magepeopleteam Mage Eventpress

CVE-2025-66082 Missing Auth in WpEvently (<=5.0.4) Exploits Incorrect Access Control
CVE-2025-66083 Missing Auth in WpEvently 5.0.4 (mage-eventpress)

Bplugins B Tiktok Feed

CVE-2025-66110 b-tiktok-feed <=1.0.22 Missing Auth in WP Plugin

Webtoffee Accessibility Plus

CVE-2025-66112 Missing Auth in WebToffee Accessibility Toolkit <=2.0.4

Blackduck Black Duck Sca

CVE-2025-0504 Black Duck SCA < 2025.10.0: Project Manager Role Grants Admin Capabilities

Openfga

CVE-2025-64751 OpenFGA v1.4.0-v1.11.0 Improper Policy Enforcement in Check & ListObj Calls

Wpwax Legal Pages

CVE-2025-66077 Illegal Access in wpWax Legal Pages 1.4.6 - Missing Auth

Nelio Software Nelio Popups

CVE-2025-66111 Nelio Popups XSS before 1.3.0 (Stored)

Iqonic Design Kivicare Clinic Management System

CVE-2025-66095 SQL Injection in Iqonic Design KiviCare kivicare-clinic-management-system v<=3.6.13

Themeatelier Better Chat Support

CVE-2025-66113 CVE-2025-66113: Missing Auth in BetterChatSupport (1.2.18) Open AC

Theme Funda Woo Show Single Variations Shop Category

CVE-2025-66114 CVE-2025-66114: Missing Auth in Show Variations as Single Pro (WooCommerce) v<=2.0

Matrixaddons Easy Invoice

CVE-2025-66115 MatrixAddons Easy Invoice easy-invoice <=2.1.4 LFI Vulnerability

Publishpress

CVE-2025-13149 Unauth Post State Change via REST API in PublishPress Future 4.9.1

Groundhogg

CVE-2025-12750 Groundhogg WP Plugin 4.2.6.1 SQL Injection via term param

Frank Goossens Wp Youtube Lyte

CVE-2025-66062 Frank Goossens WP YouTube Lyte 1.7.28 or earlier Open Redirect (URL Redirection)

Jeff Starr Head Meta Data

CVE-2025-66081 Head Meta Data Stored XSS via Improper Input Neutralization

Imtiaz Rayhan Tableberg

CVE-2025-66096 Missing Auth: Table Block by Tableberg <=0.6.9

Octolize Woo Cart Weight

CVE-2025-66109 Cart Weight for WooCommerce <=1.9.11: Missing Auth Vulnerability

Tychesoftwares Arconix Shortcodes

CVE-2025-66085 Missing Auth in TycheSoftwares Arconix Shortcodes <=2.1.18 WP Plugin

Hupe13 Extensions Leaflet Map

CVE-2025-66093 XSS: DOM-based in hupe13 Extensions for Leaflet Map <=4.8

Camille V Travelers Map

CVE-2025-66098 Stored XSS in Travelers' Map <= 2.3.2 (travelers-map)

Scott Paterson Subscriptions Memberships Paypal

CVE-2025-66107 Missing Auth in WP Subscriptions & Memberships for PayPal <=1.1.7

Anthropic Claude Code

CVE-2025-64755 Claude Code <=2.0.30: Sed Parsing Enables AFW

Nootheme

CVE-2025-11985 Realty Portal WP Plugin 0.1-0.4.1: Missing Cap Check Priv Esc

Jgwhite33 Wp Google Places Review Slider

CVE-2025-66063 WP Google Review Slider <=17.4 Missing Auth: Insecure Access Control

Shahjahan Jewel Fluent Community

CVE-2025-66084 VA: Missing Auth in Shahjahan Jewel FluentCommunity <=2.0.0

Property Hive Propertyhive

CVE-2025-66087 Missing Auth in PropertyHive <=2.1.12 (CVE-2025-66087)

Design Stylish Cost Calculator

CVE-2025-66091 WP Plugin stylish-cost-calculator <=8.1.5 DOM XSS Vulnerability

Bqworks Accordion Slider

CVE-2025-66092 bqworks Accordion Slider <=1.9.13 Stored XSS (input unescaped)

Essential Plugin Featured Post Creative

CVE-2025-66106 Missing Auth in Featured Post Creative <=1.5.5

Merlot Digital By Tnc Tnc Toolbox

CVE-2025-66108 Missing Auth in TNC Toolbox: Web Performance <=2.0.4

Itsourcecode

CVE-2025-13485 itsourcecode OFileMgmt 1.0: Remote SQLi via ajax.php Username

Cozy Vision Sms Alert

CVE-2025-66086 Cozy Vision SMS Alert Order Notifications 3.8.8 Auth Bypass

Ribose

CVE-2025-13470 RNP 0.18.0 PKESK Session Key Zero-Init Flaw

Jegstudio Gutenverse

CVE-2025-66065 Missing Auth flaw in JegStudio Gutenberg plugin 'Gutenverse' 3.2.1

Thursday November 20, 2025

WordPress

CVE-2025-5092 WordPress Plugins: XSS via lightGallery <=2.8.3 (Contributor+ attacks)

Canonical Ubuntu Linux

CVE-2025-64524 CUPS-Filters 2.0.1 Heap-buffer-overflow in rastertopclx Filter
 

Unclassified

CVE-2025-11186 WordPress Cookie Notice Plugin <=2.5.8 Stored XSS via cookies_accepted shortcode
CVE-2025-11456 ELEX WordPress HelpDesk ARFU v3.3.1
CVE-2025-11808 Stored XSS in WP Google Street View Plugin 'streetview' Shortcode v0.5.7
CVE-2025-10054 ELEX WP HelpDesk <=3.3.1: Unauthorized removal via elex_crm_remove_agent
CVE-2025-12935 FluentCRM WP Plugin Stored XSS via fluentcrm_content Shortcode <=2.9.84
CVE-2025-64310 BruteForce via Excessive Auth Attempts in EPSON WebConfig for SEIKO Projectors
CVE-2025-11802 WordPress Bulma Shortcodes v1.0 Stored XSS via type attr.
CVE-2025-12022 ELEX WP HelpDesk <=3.3.1 missing capability check lets Subscriber restore tickets
CVE-2025-12169 ELEX WP HelpDesk: AuthZ Bypass on wp_ajax_eh_crm_sched_empty (3.3.0)
And others...

Microsoft Dynamics Omnichannel Sdk Storage Containers

CVE-2025-64655 Nov 2025: Dynamics OmniChannel SDK Storage Containers Elevation of Privilege Vulnerability

Microsoft Sharepoint Online

CVE-2025-59245 Nov 2025: Microsoft SharePoint Online Elevation of Privilege Vulnerability

Microsoft Azure Bastion

CVE-2025-49752 Nov 2025: Azure Bastion Elevation of Privilege Vulnerability

Microsoft Azure Monitor Control Service

CVE-2025-62207 Nov 2025: Azure Monitor Elevation of Privilege Vulnerability

Microsoft Visual Studio Code

CVE-2025-64660 Nov 2025: GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability

Microsoft 365 Defender Portal

CVE-2025-62459 Nov 2025: Microsoft Defender Portal Spoofing Vulnerability

Kaspersky Endpoint Security

CVE-2025-64984 Kaspersky Endpoint Security XSS via AV DBs <18.11.2025

SonicWall Sonicos

CVE-2025-40601 SonicOS SSLVPN Buffer Overflow Remote Unauth DoS

Google

CVE-2025-12414 Looker OIDC account takeover via email normalisation; fixed 24.12.100
CVE-2025-13437 zx CLI Symlink Deletion Causes External node_modules Removal

IBM Concert

CVE-2025-36149 IBM Concert Soft 1.0-2.0 Remote Click Hijacking Vulner
CVE-2025-36161 IBM Concert HSTS Misconfiguration Allowing Remote Info Exposure 1.0.0-2.0.0

Limesurvey

CVE-2025-41074 LimeSurvey 6.13 Infinite Redirect DoS via /optout Endpoint
CVE-2025-41076 LimeSurvey 6.13.0 Session Cookie Exploits Internal Info Leak

Tenda

CVE-2025-13446 Remote Buffer Overflow in Tenda AC21 16.03.08.16 /goform/SetSysTimeCfg
CVE-2025-13445 Buf Overflow Tenda AC21 16.03.08.16 /goform/SetIpMacBind Remote (CVE-2025-13445)

Abb

CVE-2025-10571 Authentication Bypass in ABB Ability Edgenius 3.2.0.0/3.2.1.1 via Alternate Path

Revive Adserver

CVE-2025-48987 Revive Adserver <=6.0.1 XSS via Improper Input Neutralization

IBM Webmethods Integration

CVE-2025-36072 IBM webMethods 11.1 Deserialization RCE via Untrusted Object Graphs