9.8
CVE-2025-8995 - Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4.
4.7
CVE-2025-8675 - AI SEO Link Advisor - Less critical - Server-side Request Forgery - SA-CONTRIB-2025-095
Server-Side Request Forgery (SSRF) vulnerability in Drupal AI SEO Link Advisor allows Server Side Request Forgery.This issue affects AI SEO Link Advisor: from 0.0.0 before 1.0.6.
4.3
CVE-2025-8362 - GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting (XSS).This issue affects GoogleTag Manager: from 0.0.0 before 1.10.0.
7.6
CVE-2025-8361 - Config Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-093
Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.This issue affects Config Pages: from 0.0.0 before 2.18.0.
7.6
CVE-2025-8092 - COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.16.
9.1
CVE-2025-9060 - MFlash Remote Code Execution (RCE) after authentication of a user with the "administrator" role
A vulnerability has been found in the ย MSoft MFlash application that allows execution of arbitrary code on the server. The issue occurs in the integration configuration functionality that is only available to MFlash administrators. The vulnerability is related to insufficient validation ofโฆ
4.8
CVE-2025-8066 - Bunker Web 1.6.2 - Uncontrolled external site redirect
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Bunkerity Bunker Web on Linux allows Phishing.This issue affects Bunker Web: 1.6.2.
7.6
CVE-2025-49898 - WordPress Dropshix plugin <= 4.0.14 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14.
5.3
CVE-2025-49432 - WordPress Ultimate Video Player Plugin <= 10.1 - Broken Access Control Vulnerability
Missing Authorization vulnerability in FWDesign Ultimate Video Player fwduvp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Video Player: from n/a through <= 10.1.
8.8
CVE-2025-49897 - WordPress Vertical scroll slideshow gallery v2 plugin <= 9.1 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection. This issue affects Vertical scroll slideshow gallery v2: from n/a through 9.1.