| CVE-2025-32385 | EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially tricking users and creating a phishing risk. The iframe URL is user-defined, so an attacker would need to trick the user into specifying a malicious URL. The missing sandbox attribute also allows the remote page to send messages to the parent frame. However, EspoCRM does not make use of these messages. This vulnerability is fixed in 9.0.5. | medium |
| CVE-2025-30215 | NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents. This vulnerability is fixed in v2.11.1 or v2.10.27. | critical |
| CVE-2025-32435 | Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectively. | low |
| CVE-2025-32388 | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. This vulnerability is fixed in 2.20.6. | medium |
| CVE-2025-25458 | Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via serverName2. | medium |
| CVE-2025-25453 | Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via serviceName2. | medium |
| CVE-2025-22911 | RE11S v1.11 was discovered to contain a stack overflow via the rootAPmac parameter in the formiNICbasicREP function. | medium |
| CVE-2025-32923 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Tourmaster allows Reflected XSS. This issue affects Tourmaster: from n/a through n/a. | high |
| CVE-2025-32784 | conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. In versions prior to 2025.4.10, a race condition vulnerability has been identified in the conda-forge-webservices component used within the shared build infrastructure. This vulnerability, categorized as a Time-of-Check to Time-of-Use (TOCTOU) issue, can be exploited to introduce unauthorized modifications to build artifacts stored in the cf-staging Anaconda channel. Exploitation may result in the unauthorized publication of malicious artifacts to the production conda-forge channel. The core vulnerability results from the absence of atomicity between the hash validation and the artifact copy operation. This gap allows an attacker, with access to the cf-staging token, to overwrite the validated artifact with a malicious version immediately after hash verification, but before the copy action is executed. As the cf-staging channel permits artifact overwrites, such an operation can be carried out using the anaconda upload --force command. This vulnerability is fixed in 2025.4.10. | high |
| CVE-2025-32782 | Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client. This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only. This vulnerability is fixed in 4.7.0. | medium |
| CVE-2025-31950 | An unauthenticated attacker can obtain EV charger energy consumption information of other users. | medium |
| CVE-2025-31945 | An unauthenticated attacker can obtain other users' charger information. | medium |
| CVE-2025-31654 | An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms"). | medium |
| CVE-2025-31360 | Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users. | medium |
| CVE-2025-31147 | Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users. | medium |
| CVE-2025-30984 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound SEO Tools allows Reflected XSS. This issue affects SEO Tools: from n/a through 4.0.7. | high |
| CVE-2025-30982 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookProgress by Stormhill Media allows Stored XSS. This issue affects MyBookProgress by Stormhill Media: from n/a through 1.0.8. | medium |
| CVE-2025-30970 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Contact allows Reflected XSS. This issue affects Easy Contact: from n/a through 0.1.2. | high |
| CVE-2025-30967 | Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard allows Upload a Web Shell to a Web Server. This issue affects WPJobBoard: from n/a through n/a. | critical |
| CVE-2025-30966 | Path Traversal vulnerability in NotFound WPJobBoard allows Path Traversal. This issue affects WPJobBoard: from n/a through n/a. | medium |
| CVE-2025-30512 | Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off). | medium |
| CVE-2025-30510 | An attacker can upload an arbitrary file instead of a plant image. | critical |
| CVE-2025-30257 | Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account. | medium |
| CVE-2025-29471 | Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field. | high |
| CVE-2025-27929 | Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts. | medium |
| CVE-2025-27927 | An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API. | medium |
| CVE-2025-27892 | Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression. | medium |
| CVE-2025-27719 | Unauthenticated attackers can query an API endpoint and get device details. | medium |
| CVE-2025-27575 | An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID. | medium |
| CVE-2025-27565 | An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs. | medium |
| CVE-2025-27561 | Unauthenticated attackers can rename "rooms" of arbitrary users. | medium |
| CVE-2025-27011 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam Booking and Rental Manager allows PHP Local File Inclusion. This issue affects Booking and Rental Manager: from n/a through 2.2.8. | high |
| CVE-2025-27008 | Missing Authorization vulnerability in NotFound Unlimited Timeline allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Unlimited Timeline: from n/a through n/a. | high |
| CVE-2025-26998 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 1.8. | medium |
| CVE-2025-26996 | Improper Control of Generation of Code ('Code Injection') vulnerability in Fetch Designs Sign-up Sheets allows Code Injection. This issue affects Sign-up Sheets: from n/a through 2.3.0.1. | medium |
| CVE-2025-26953 | Missing Authorization vulnerability in NotFound JetMenu allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects JetMenu: from n/a through 2.4.9. | high |
| CVE-2025-26951 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in covertnine C9 Blocks allows DOM-Based XSS. This issue affects C9 Blocks: from n/a through 1.7.7. | medium |
| CVE-2025-26950 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AddonsPress Nepali Date Converter allows Stored XSS. This issue affects Nepali Date Converter: from n/a through 2.0.8. | medium |
| CVE-2025-26934 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in graphthemes Glossy Blog allows Stored XSS. This issue affects Glossy Blog: from n/a through 1.0.3. | medium |
| CVE-2025-26930 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alleythemes Home Services allows DOM-Based XSS. This issue affects Home Services: from n/a through 1.2.6. | medium |
| CVE-2025-26927 | Unrestricted Upload of File with Dangerous Type vulnerability in EPC AI Hub allows Upload a Web Shell to a Web Server. This issue affects AI Hub: from n/a through 1.3.3. | critical |
| CVE-2025-26919 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tainacan Tainá allows Stored XSS. This issue affects Tainá: from n/a through 0.2.2. | medium |
| CVE-2025-26908 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Gurmehub Kargo Entegratör allows SQL Injection. This issue affects Kargo Entegratör: from n/a through 1.1.14. | high |
| CVE-2025-26906 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ren Ventura WP Delete User Accounts allows DOM-Based XSS. This issue affects WP Delete User Accounts: from n/a through 1.2.3. | medium |
| CVE-2025-26903 | Cross-Site Request Forgery (CSRF) vulnerability in RealMag777 InPost Gallery allows Cross Site Request Forgery. This issue affects InPost Gallery: from n/a through 2.1.4.3. | medium |
| CVE-2025-26880 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar allows Stored XSS. This issue affects SKT Skill Bar: from n/a through 2.3. | medium |
| CVE-2025-26870 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound JetEngine allows DOM-Based XSS. This issue affects JetEngine: from n/a through 3.6.4.1. | medium |
| CVE-2025-26857 | Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers). | medium |
| CVE-2025-26749 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Product Tabs for WooCommerce allows Stored XSS. This issue affects Additional Custom Product Tabs for WooCommerce: from n/a through 1.7.0. | medium |
| CVE-2025-26748 | Cross-Site Request Forgery (CSRF) vulnerability in LOOS,Inc. Arkhe allows PHP Local File Inclusion. This issue affects Arkhe: from n/a through 3.11.0. | high |
