5.1

CVSS4.0

CVE-2025-41349 - Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este

Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus. svc/json/savesol…

📅 Published: Nov. 18, 2025, 11:26 a.m. 🔄 Last Modified: Nov. 18, 2025, 11:26 a.m.

8.7

CVSS4.0

CVE-2025-41348 - Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este

SQL injection vulnerability in WinPlus v24.11.27 by Informática del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters 'val1' and 'cont in '/WinplusPortal/ws/sWinplus.svc/json/getacumper_post'.

📅 Published: Nov. 18, 2025, 11:24 a.m. 🔄 Last Modified: Nov. 18, 2025, 11:24 a.m.

8.7

CVSS4.0

CVE-2025-41347 - Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este

Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Informática del Este. This vulnerability allows an attacker to upload a 'webshell' by sending a POST request to '/WinplusPortal/ws/sWinplus.svc/json/uploadfile'.

📅 Published: Nov. 18, 2025, 11:06 a.m. 🔄 Last Modified: Nov. 18, 2025, 11:06 a.m.

5.8

CVSS3.1

CVE-2025-11427 - WP Migrate Lite <= 2.7.6 - Unauthenticated Blind Server-Side Request Forgery

The WP Migrate Lite – WordPress Migration Made Easy plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.7.6 via the wpmdb_flush AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations o…

📅 Published: Nov. 18, 2025, 11 a.m. 🔄 Last Modified: Nov. 18, 2025, 11 a.m.

7.5

CVSS3.1

CVE-2025-41737 - Improper access control via php endpoint

Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules.

📅 Published: Nov. 18, 2025, 10:18 a.m. 🔄 Last Modified: Nov. 18, 2025, 10:18 a.m.

8.8

CVSS3.1

CVE-2025-41736 - Possible arbitrary code execution

A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution.

📅 Published: Nov. 18, 2025, 10:18 a.m. 🔄 Last Modified: Nov. 18, 2025, 10:18 a.m.

8.8

CVSS3.1

CVE-2025-41735 - Possible arbitrary file upload

A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.

📅 Published: Nov. 18, 2025, 10:18 a.m. 🔄 Last Modified: Nov. 18, 2025, 10:18 a.m.

9.8

CVSS3.1

CVE-2025-41734 - Unauthenticated Local File Inclusion in php module

An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.

📅 Published: Nov. 18, 2025, 10:18 a.m. 🔄 Last Modified: Nov. 18, 2025, 10:18 a.m.

9.8

CVSS3.1

CVE-2025-41733 - Possible malfunction credential injection

The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.

📅 Published: Nov. 18, 2025, 10:17 a.m. 🔄 Last Modified: Nov. 18, 2025, 10:17 a.m.

9.3

CVSS4.0

CVE-2025-41346 - Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este

Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availability…

📅 Published: Nov. 18, 2025, 10:04 a.m. 🔄 Last Modified: Nov. 18, 2025, 10:04 a.m.
Total resulsts: 318707
Page 8 of 31,871
« previous page » next page
Filters