6.5
CVE-2025-50183 - OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer
OpenList Frontend is a UI component for OpenList. Prior to version 4.0.0-rc.4, a vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in <script> tags may be interpreted and executed as HTML in certain moβ¦
6.4
CVE-2025-6201 - Pixel Manager for WooCommerce (PRO) <= 1.49.0 - Authenticated (Contributor+) Cross-Site Scripting vβ¦
The Pixel Manager for WooCommerce β Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escapinβ¦
5.3
CVE-2025-50182 - urllib3 does not control redirects in browsers and Node.js
urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Pythβ¦
5.3
CVE-2025-50181 - urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting β¦
2.7
CVE-2025-4563 - Nodes can bypass dynamic resource allocation authorization checks
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to peβ¦
9.8
CVE-2025-24288 -
The Versa Director software exposes a number of services by default and allow attackers an easy foothold due to default credentials and multiple accounts (most with sudo access) that utilize the same default credentials. By default, Versa director exposes ssh and postgres to the internet, alongsideβ¦
6.1
CVE-2025-24291 -
The Versa Director SD-WAN orchestration platform provides functionality to upload various types of files. However, the Java code handling file uploads contains an argument injection vulnerability. By appending additional arguments to the file name, an attacker can bypass MIME type validation, allowβ¦
9.8
CVE-2024-45208 -
The Versa Director SD-WAN orchestration platform which makes use of Cisco NCS application service. Active and Standby Directors communicate over TCP ports 4566 and 4570 to exchange High Availability (HA) information using a shared password. Affected versions of Versa Director bound to these ports oβ¦
7.2
CVE-2025-23171 -
The Versa Director SD-WAN orchestration platform provides an option to upload various types of files. The Versa Director does not correctly limit file upload permissions. The UI appears not to allow file uploads but uploads still succeed. In addition, the Versa Director discloses the full filename β¦
6.3
CVE-2025-23168 -
The Versa Director SD-WAN orchestration platform implements Two-Factor Authentication (2FA) using One-Time Passcodes (OTP) delivered via email or SMS. Versa Director accepts untrusted user input when dispatching 2FA codes, allowing an attacker who knows a valid username and password to redirect theβ¦