5.4
CVE-2024-11390 - Kibana Unrestricted Upload of File with Dangerous Type Can Lead to XSS
Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victimβs browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.
4.3
CVE-2025-25016 - Kibana Unrestricted Upload of File
Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation.
5.7
CVE-2024-11994 - APM Server Insertion of Sensitive Information into Log File
APM server logs could contain parts of the document body from a partially failed bulk index request. Depending on the nature of the document, this could disclose sensitive information in APM Server error logs.
4.4
CVE-2024-52976 - Elastic Agent Inclusion of Functionality from Untrusted Control Sphere
Inclusion of functionality from an untrusted control sphere in Elastic Agent subprocess, osqueryd, allows local attackers to execute arbitrary code via parameter injection. An attacker requires local access and the ability to modify osqueryd configurations.
6.2
CVE-2023-46669 - Elastic Agent / Elastic Endpoint Security local API key disclosure
Exposure of sensitive information to local unauthorized actors in Elastic Agent and Elastic Security Endpoint can lead to loss of confidentiality and impersonation of Endpoint to the Elastic Stack. This issue was identified by Elastic engineers and Elastic has no indication that it is known or has β¦
6.9
CVE-2025-4164 - PHPGurukul Employee Record Management System changepassword.php sql injection
A vulnerability, which was classified as critical, was found in PHPGurukul Employee Record Management System 1.3. Affected is an unknown function of the file changepassword.php. The manipulation of the argument currentpassword leads to sql injection. It is possible to launch the attack remotely. Thβ¦
5.3
CVE-2025-4163 - PHPGurukul Land Record System aboutus.php sql injection
A vulnerability, which was classified as critical, has been found in PHPGurukul Land Record System 1.0. This issue affects some unknown processing of the file /admin/aboutus.php. The manipulation of the argument pagetitle leads to sql injection. The attack may be initiated remotely. The exploit hasβ¦
6.4
CVE-2025-3890 - WordPress Simple PayPal Shopping Cart <= 5.1.3 - Authenticated (Contributor+) Stored Cross-Site Scrβ¦
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_cart_button' shortcode in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibleβ¦
6.5
CVE-2025-3874 - WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and ediβ¦
5.3
CVE-2025-3889 - WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference via 'quantity'
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'process_payment_data' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change theβ¦