5.3
CVE-2025-26527 - Non-searchable tags can still be discovered on the tag search page and in the tags block
Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.
6.5
CVE-2025-26526 - Feedback response viewing and deletions did not respect Separate Groups mode
Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities.
8.6
CVE-2025-26525 - Arbitrary file read risk through pdfTeX
Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).
9.4
CVE-2025-27133 - WeGIA has SQL Injection endpoint at 'dao/pet/adicionar_tipo_exame.php' parameter 'tipo_exame'
WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was discovered in the WeGIA application prior to version 3.2.15 at the `adicionar_tipo_exame.php` endpoint. This vulnerability allows an authorized attacker to execute arbitrary SQL queries, allowing access to sensitiβ¦
6.9
CVE-2025-27112 - Navidrome has authentication bypass in Subsonic API with non-existent username
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, aβ¦
8.4
CVE-2025-22495 -
An improper input validation vulnerability was discovered in the NTP server configuration field of the Network-M2 card. This could result in an authenticated high privileged user having the ability to execute arbitrary commands. The vulnerability has been resolved in the version 3.0.4. Note - Netwβ¦
4.3
CVE-2025-27357 - WordPress Γnceki YazΔ± Link Plugin <= 1.3 - Cross Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery (CSRF) vulnerability in Musa AVCI Γnceki YazΔ± Link onceki-yazi-linki allows Cross Site Request Forgery.This issue affects Γnceki YazΔ± Link: from n/a through <= 1.3.
5.4
CVE-2025-27356 - WordPress Sticky Header On Scroll plugin <= 1.0 - Broken Access Control vulnerability
Missing Authorization vulnerability in Hardik Sticky Header On Scroll sticky-header-on-scroll allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sticky Header On Scroll: from n/a through <= 1.0.
7.1
CVE-2025-27355 - WordPress Woocommerce β Loi Hamon Plugin <= 1.1.0 - CSRF to Stored XSS vulnerability
Cross-Site Request Forgery (CSRF) vulnerability in Nicolas GRILLET Woocommerce β Loi Hamon loi-hamon allows Stored XSS.This issue affects Woocommerce β Loi Hamon: from n/a through <= 1.1.0.
4.3
CVE-2025-27353 - WordPress Namaste! LMS Plugin <= 2.6.5 - Cross Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery (CSRF) vulnerability in Bob Namaste! LMS namaste-lms allows Cross Site Request Forgery.This issue affects Namaste! LMS: from n/a through <= 2.6.5.