6.5
CVE-2025-13781 - Missing Authorization in GitLab
GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations.
7.5
CVE-2025-64092 - Unauthenticated SQL injection via GET request parameters
This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database.
8.6
CVE-2025-64091 - Authenticated Remote Code Execution in the NTP-configuration
This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device.
10
CVE-2025-64090 - Authenticated Remote Code Execution in device hostname
This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
6.1
CVE-2025-13895 - Top Position Google Finance <= 0.1.0 - Reflected Cross-Site Scripting
The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers tβ¦
6.4
CVE-2025-13900 - WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortβ¦
The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, withβ¦
6.4
CVE-2025-13853 - Nearby Now Reviews <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode β¦
The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wβ¦
6.4
CVE-2025-13729 - Entry Views <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attβ¦
6.4
CVE-2026-0627 - AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload
The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers β¦
7.2
CVE-2025-14657 - Eventin β Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) <= 4β¦
The Eventin β Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthentiβ¦