7.5
CVE-2025-68675 - Apache Airflow: proxy credentials for various providers might leak in task logs
In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such coโฆ
7.4
CVE-2025-59870 - Improper management of a static JWT signing secret in the web application, where the secret lacks rโฆ
HCL MyXalyticsย is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk
7.5
CVE-2025-68438 - Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated
In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core]ย max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not inclโฆ
8.2
CVE-2025-14844 - Membership Plugin โ Restrict Content <= 3.2.16 - Missing Authentication to Insecure Direct Object Rโฆ
The Membership Plugin โ Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlโฆ
3.1
CVE-2025-14822 - DoS from quadratic complexity in model.ParseHashtags
Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens
7.2
CVE-2025-12007 - Supermicro BMC firmware update validation bypass
There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image.
9.8
CVE-2025-60021 - Apache bRPC: Remote command injection vulnerability in heap builtin service
Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameteโฆ
5.3
CVE-2025-14757 - Cost Calculator Builder <= 3.6.9 - Missing Authorization to Unauthenticated Payment Status Bypass
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, maโฆ
7.2
CVE-2025-12006 - Supermicro BMC firmware update validation bypass
There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW-F . An attacker can update the system firmware with a specially crafted image.
6.4
CVE-2026-0913 - User Submitted Posts <= 20260110 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'usโฆ
The User Submitted Posts โ Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user suppโฆ