| CVE-2025-29834 | Out-of-bounds read in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. | high |
| CVE-2025-29825 | User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. | medium |
| CVE-2025-29823 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-29822 | Incomplete list of disallowed inputs in Microsoft Office OneNote allows an unauthorized attacker to bypass a security feature locally. | high |
| CVE-2025-29820 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-29817 | Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network. | medium |
| CVE-2025-29267 | SQL Injection vulnerability in Abis, Inc Adjutant Core Accounting ERP build v.PreBeta250F allows a remote attacker to obtain a sensitive information via the cid parameter in the GET request. | medium |
| CVE-2025-29012 | Missing Authorization vulnerability in kamleshyadav CF7 7 Mailchimp Add-on allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 7 Mailchimp Add-on: from n/a through 2.2. | medium |
| CVE-2025-29007 | Missing Authorization vulnerability in LMSACE LMSACE Connect allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LMSACE Connect: from n/a through 3.4. | medium |
| CVE-2025-29001 | Missing Authorization vulnerability in ZoomIt WooCommerce Shop Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce Shop Page Builder: from n/a through 2.27.7. | medium |
| CVE-2025-28983 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect allows Privilege Escalation. This issue affects Click & Pledge Connect: from 25.04010101 through WP6.8. | critical |
| CVE-2025-28980 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in machouinard Aviation Weather from NOAA allows Path Traversal. This issue affects Aviation Weather from NOAA: from n/a through 0.7.2. | high |
| CVE-2025-28978 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hung Trang Si SB Breadcrumbs allows Reflected XSS. This issue affects SB Breadcrumbs: from n/a through 1.0. | high |
| CVE-2025-28976 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dsrodzin Email Address Security by WebEmailProtector allows Stored XSS. This issue affects Email Address Security by WebEmailProtector: from n/a through 3.3.6. | medium |
| CVE-2025-28971 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CWD Web Designer Easy Elements Hider allows Stored XSS. This issue affects Easy Elements Hider: from n/a through 2.0. | medium |
| CVE-2025-28969 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cybio Gallery Widget allows SQL Injection. This issue affects Gallery Widget: from n/a through 1.2.1. | high |
| CVE-2025-28968 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac WP Wall allows Reflected XSS. This issue affects WP Wall: from n/a through 1.7.3. | high |
| CVE-2025-28967 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Truman Contact Us page - Contact people LITE allows SQL Injection. This issue affects Contact Us page - Contact people LITE: from n/a through 3.7.4. | high |
| CVE-2025-28963 | Server-Side Request Forgery (SSRF) vulnerability in Md Yeasin Ul Haider URL Shortener allows Server Side Request Forgery. This issue affects URL Shortener: from n/a through 3.0.7. | medium |
| CVE-2025-28957 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OwnerRez OwnerRez allows Stored XSS. This issue affects OwnerRez: from n/a through 1.2.1. | medium |
| CVE-2025-28951 | Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image allows Upload a Web Shell to a Web Server. This issue affects Bulk Featured Image: from n/a through 1.2.1. | critical |
| CVE-2025-2827 | IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 could disclose sensitive installation directory information to an authenticated user that could be used in further attacks against the system. | medium |
| CVE-2025-2793 | IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | medium |
| CVE-2025-27732 | Sensitive data storage in improperly locked memory in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-27731 | Improper input validation in OpenSSH for Windows allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-27730 | Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-27729 | Use after free in Windows Shell allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-27728 | Out-of-bounds read in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-27727 | Improper link resolution before file access ('link following') in Windows Installer allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-27492 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Secure Channel allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-27491 | Use after free in Windows Hyper-V allows an authorized attacker to execute code over a network. | high |
| CVE-2025-27490 | Heap-based buffer overflow in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-27486 | Uncontrolled resource consumption in Windows Standards-Based Storage Management Service allows an unauthorized attacker to deny service over a network. | high |
| CVE-2025-27485 | Uncontrolled resource consumption in Windows Standards-Based Storage Management Service allows an unauthorized attacker to deny service over a network. | high |
| CVE-2025-27484 | Sensitive data storage in improperly locked memory in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges over a network. | high |
| CVE-2025-27483 | Out-of-bounds read in Windows NTFS allows an unauthorized attacker to elevate privileges locally. | high |
| CVE-2025-27482 | Sensitive data storage in improperly locked memory in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network. | high |
| CVE-2025-27481 | Stack-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network. | high |
| CVE-2025-27480 | Use after free in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network. | high |
| CVE-2025-27479 | Insufficient resource pool in Windows Kerberos allows an unauthorized attacker to deny service over a network. | high |
| CVE-2025-27478 | Heap-based buffer overflow in Windows Local Security Authority (LSA) allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-27477 | Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network. | high |
| CVE-2025-27476 | Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-27475 | Sensitive data storage in improperly locked memory in Windows Update Stack allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-27474 | Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | medium |
| CVE-2025-27473 | Uncontrolled resource consumption in Windows HTTP.sys allows an unauthorized attacker to deny service over a network. | high |
| CVE-2025-27472 | Protection mechanism failure in Windows Mark of the Web (MOTW) allows an unauthorized attacker to bypass a security feature over a network. | medium |
| CVE-2025-27471 | Sensitive data storage in improperly locked memory in Microsoft Streaming Service allows an unauthorized attacker to deny service over a network. | medium |
| CVE-2025-27470 | Uncontrolled resource consumption in Windows Standards-Based Storage Management Service allows an unauthorized attacker to deny service over a network. | high |
| CVE-2025-27469 | Uncontrolled resource consumption in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to deny service over a network. | high |
