9.3
CVE-2025-40628 - SQL Injection in DomainsPRO
SQL injection vulnerability in DomainsPRO 1.2. This vulnerability could allow an attacker to retrieve, create, update and delete databases via the “d” parameter in the “/article.php” endpoint.
8.4
CVE-2025-4647 - A user with elevated privileges can bypass sanitization measures by replacing the content of an exi…
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon web allows Reflected XSS. A user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG. This issue affects web: from 24.10.0 before…
7.2
CVE-2025-4646 - A high privilege user is able to create and use a valid admin API token in centreon-web
Improper Privilege Management vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.
9.4
CVE-2025-22248 - [pgpool] Unauthenticated access to postgres through pgpool
The bitnami/pgpool Docker image, and the bitnami/postgres-ha k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster. The PGPOOL_SR_CHECK_USER is the user that Pgpool itself uses to perform streaming replication chec…
8.6
CVE-2025-41645 - SMA: Sunny Portal demo system privilege escalation
An unauthenticated remote attacker could use a demo account of the portal to hijack devices that were created in that account by mistake.
4.6
CVE-2025-3916 -
CWE-121: Stack-based Buffer Overflow vulnerability exists that could cause local attackers being able to exploit these issues to potentially execute arbitrary code while the end user opens a malicious project file (SSD file) provided by the attacker.
5.3
CVE-2025-27696 - Apache Superset: Improper authorization leading to resource ownership takeover
Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. This issue affects Apache Superset: through 4.1.1. Users are recommended to upgrade to version 4.1.2 or above, which fixes the issue.
8.8
CVE-2025-4474 - Frontend Dashboard 1.0 - 2.2.7 - Missing Authorization to Authenticated (Subscriber+) Privilege Esc…
The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_admin_setting_form_function() function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite th…
4.3
CVE-2025-4339 - TheGem <= 5.10.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Theme Options Upd…
The TheGem theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxApi() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary…
8.8
CVE-2025-4317 - TheGem <= 5.10.3 - Authenticated (Subscriber+) Arbitrary File Upload
The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitr…