6.9
CVE-2025-34441 - AVideo < 20.1 User Information Disclosure via Public API
AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.
1.7
CVE-2025-66646 - RIOT-OS has NULL pointer dereference in gnrc_ipv6_ext_frag_reass
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When receiving an fragmented IPv6 packeβ¦
8.3
CVE-2025-66397 - ChurchCRM's Kiosk Manager Functions are vulnerable to Broken Access Control
ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk registrations, and peβ¦
7.2
CVE-2025-66396 - ChurchCRM has SQL Injection in User Editor via `type` Parameter Key
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/UserEditor.php` file. When an administrator saves a user's configuration settings, the keys of the `type` POST parameter array are not properly sanitized or type-casted befβ¦
8.8
CVE-2025-66395 - SQL Injection in Event List via `WhichType` Parameter
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in multiple SQL queries. Thisβ¦
10
CVE-2025-62521 - ChurchCRM has unauthenticated RCE in its Install Wizard
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server comprβ¦
4.3
CVE-2025-14081 - Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Profile Privacy Setting Bypass
The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendeβ¦
6.4
CVE-2025-13537 - Live Composer β Free WordPress Website Builder <= 2.0.2 - Authenticated (Contributor+) DOM-Based Stβ¦
The Live Composer β Free WordPress Website Builder plugin for WordPress is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities via DOM manipulation in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user-supplied attributes. Thisβ¦
6.4
CVE-2025-13217 - Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value'
The Ultimate Member β User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to insufficient input sanitizatβ¦
3.9
CVE-2025-13326 - Mattermost Desktop App fails to enable Hardened Runtime when packaged for Mac App Store
Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder.