9.1
CVE-2025-58130 - Apache Fineract: Server Key not masked
Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0.Β The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release.
8.5
CVE-2025-23408 - Apache Fineract: weak password policy
Weak Password Requirements vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.10.1.Β The issue is fixed in version 1.11.0. Users are encouraged to upgrade to version 1.13.0, the latest release.
7.3
CVE-2025-40829 -
A vulnerability has been identified in Simcenter Femap (All versions < V2512). The affected applications contains an uninitialized memory vulnerability while parsing specially crafted SLDPRT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-27146)
6.5
CVE-2025-12960 - Simple CSV Table <= 1.0.1 - Directory Traversal to Authenticated (Contributor+) Arbitrary File Read
The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in the `[csv]` shortcode. This is due to insufficient path validation before concatenating user-supplied input to a base directory path. This makes it β¦
8.7
CVE-2025-67731 - Servify Express does not enforce rate limiting when parsing JSON
Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performancβ¦
5.1
CVE-2025-67730 - Frappe authenticated users can execute XSS through form description fields
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0.
7.5
CVE-2025-14169 - FunnelKit β Funnel Builder for WooCommerce Checkout <= 3.13.1.5 - Unauthenticated SQL Injection
The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the β¦
3.5
CVE-2025-10583 - WP Fastest Cache Premium <= 1.7.4 - Missing Authorization to Authenticated (Subscriber+) Blind Servβ¦
The WP Fastest Cache Premium plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requβ¦
6.5
CVE-2025-13891 - Image Gallery β Photo Grid & Video Gallery (Modula) <= 2.13.3 - Missing Authorization to Arbitrary β¦
The Image Gallery β Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory restrictions. While the endpoint verifies user β¦
6.1
CVE-2025-14049 - VikRentItems Flexible Rental Management System <= 1.2.0 - Reflected Cross-Site Scripting via 'deltoβ¦
The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackβ¦