7.4
CVE-2025-59870 - Improper management of a static JWT signing secret in the web application, where the secret lacks r…
HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk
7.5
CVE-2025-68438 - Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated
In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not incl…
8.2
CVE-2025-14844 - Membership Plugin – Restrict Content <= 3.2.16 - Missing Authentication to Insecure Direct Object R…
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-control…
3.1
CVE-2025-14822 - DoS from quadratic complexity in model.ParseHashtags
Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens
7.2
CVE-2025-12007 - Supermicro BMC firmware update validation bypass
There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image.
9.8
CVE-2025-60021 - Apache bRPC: Remote command injection vulnerability in heap builtin service
Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options paramete…
5.3
CVE-2025-14757 - Cost Calculator Builder <= 3.6.9 - Missing Authorization to Unauthenticated Payment Status Bypass
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, ma…
7.2
CVE-2025-12006 - Supermicro BMC firmware update validation bypass
There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW-F . An attacker can update the system firmware with a specially crafted image.
6.4
CVE-2026-0913 - User Submitted Posts <= 20260110 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'us…
The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user supp…
5.3
CVE-2026-1004 - Essential Addons for Elementor <= 6.5.5 - Missing Authorization to Unauthenticated Sensitive Inform…
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for pro…