4.8
CVE-2025-15505 - Luxul XWR-600 Web Administration cross site scripting
A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The attack may be launched remotely. The exploit hโฆ
5.1
CVE-2026-0824 - questdb ui Web Console cross site scripting
A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to โฆ
4.3
CVE-2025-13393 - Featured Image from URL (FIFU) <= 5.3.1 - Authenticated (Contributor+) Server-Side Request Forgery โฆ
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. Thisโฆ
6.4
CVE-2025-12379 - Shortcodes and extra features for Phlox theme <= 2.17.13 - Authenticated (Contributor+) Stored Crosโฆ
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a combination of the 'tag' and โtitle_tagโ parameters in all versions up to, and including, 2.17.13 due to insufficient input sanitization and output escaping. This makes it possiโฆ
5.3
CVE-2026-0822 - quickjs-ng quickjs quickjs.c js_typed_array_sort heap-based overflow
A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. Theโฆ
6.9
CVE-2026-0821 - quickjs-ng quickjs quickjs.c js_typed_array_constructor heap-based overflow
A vulnerability was determined in quickjs-ng quickjs up to 0.11.0. This vulnerability affects the function js_typed_array_constructor of the file quickjs.c. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed โฆ
6.4
CVE-2025-14555 - Countdown Timer - Widget Countdown <= 2.7.7 - Authenticated (Contributor+) Stored Cross-Site Scriptโฆ
The Countdown Timer โ Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it โฆ
4.8
CVE-2025-15504 - lief-project LIEF ELF Binary Parser.tcc parse_binary null pointer dereference
A security flaw has been discovered in lief-project LIEF up to 0.17.1. Affected by this issue is the function Parser::parse_binary of the file src/ELF/Parser.tcc of the component ELF Binary Parser. The manipulation results in null pointer dereference. The attack must be initiated from a local positโฆ
6.4
CVE-2025-14506 - ConvertForce Popup Builder <= 0.0.7 - Stored Cross-Site Scripting via entrance_animation
The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for autheโฆ
7.5
CVE-2025-52435 - Apache Mynewt NimBLE: Invalid error handling in pause encryption procedure in NimBLE controller
J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange.โฆ