8.6
CVE-2025-54470 - NeuVector telemetry sender is vulnerable to MITM and DoS
This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server. In affected versions, NeuVector does not enforce TLS certificate verification when transmโฆ
5.4
CVE-2025-62402 - Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.
4.6
CVE-2025-62503 - Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Conโฆ
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.
6.7
CVE-2025-11906 - Privilege escalation via writable configuration files in Progress Flowmon
A vulnerability exists in Progress Flowmon versions prior 12.5.6 where certain system configuration files have incorrect file permissions, allowing a user with access to the default flowmon system user account used for SSH access to potentially escalate privileges to root during service initializatโฆ
5.3
CVE-2025-11881 - AppPresser โ Mobile App Framework <= 4.5.0 - Missing Authorization to Unauthenticated Limited Sensiโฆ
The AppPresser โ Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all versions up to, and including, 4.5.0. This makes it possible for unauthenticated attackers to extract sensitive data incluโฆ
3.5
CVE-2025-10636 - NS Maintenance Mode for WP <= 1.3.1 - Admin+ Stored XSS
The NS Maintenance Mode for WP WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setupโฆ
5.3
CVE-2025-10008 - Translate WordPress and go Multilingual โ Weglot <= 5.1 - Missing Authorization to Unauthenticated โฆ
The Translate WordPress and go Multilingual โ Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited trโฆ
6.5
CVE-2025-11627 - Site Checkup AI Troubleshooting with Wizard and Tips for Each Issue <= 1.47 - Unauthenticated Log Fโฆ
The Site Checkup Debug AI Troubleshooting with Wizard and Tips for Each Issue plugin for WordPress is vulnerable to log file poisoning in all versions up to, and including, 1.47. This makes it possible for unauthenticated attackers to insert arbitrary content into log files, and potentially cause dโฆ
6.4
CVE-2025-12475 - Blocksy Companion <= 2.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibโฆ
6.1
CVE-2025-52180 -
Cross-site scripting (XSS) vulnerability in Zucchetti Ad Hoc Infinity 4.2 and earlier allows remote unauthenticated attackers to inject arbitrary JavaScript via the pHtmlSource parameter of the /ahi/jsp/gsfr_feditorHTML.jsp?pHtmlSource endpoint.