6.4
CVE-2025-8684 - Flatsome <= 3.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Flatsome Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.20.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contβ¦
6.5
CVE-2025-7445 - Kubernetes secrets-store-sync-controller discloses service account tokens in logs
Kubernetes secrets-store-sync-controller in versions before 0.0.2 discloses service account tokens in logs.
8.1
CVE-2025-9990 - WordPress Helpdesk Integration <= 5.8.10 - Unauthenticated Local File Inclusion
The WordPress Helpdesk Integration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.8.10 via the portal_type parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execβ¦
7.2
CVE-2025-58780 -
index.em7 in ScienceLogic SL1 before 12.1.1 allows SQL Injection via a parameter in a request.
7.5
CVE-2025-58362 - Hono contains a flaw in URL path parsing, potentially leading to path confusion
Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks). The original implementation relieβ¦
6
CVE-2025-58359 - frost-core: refresh shares with smaller min_signers will reduce group security
ZF FROST is a Rust implementation of FROST (Flexible Round-Optimised Schnorr Threshold signatures). In versions 2.0.0 through 2.1.0, refresh shares with smaller min_signers will reduce security of group. The inability to change min_signers (i.e. the threshold) with the refresh share functionality (β¦
7.2
CVE-2025-58179 - Astro Cloudflare adapter is vulnerable to Server-Side Request Forgery via /_image endpoint
Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URLs β¦
2.1
CVE-2025-58352 - Weblate has long session expiry times during second factor verification
Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in version 5.13.1.
5.1
CVE-2025-55739 - api: Shared OAuth Signing Key Between Different Instances
api is a module for FreePBX@, which is an open source GUI that controls and manages AsteriskΒ© (PBX). In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX RPM or DEB package. Anβ¦
9
CVE-2025-55241 - Azure Entra Elevation of Privilege Vulnerability
Azure Entra Elevation of Privilege Vulnerability