4.1
CVE-2025-4634 - Local File Inclusion
The web portal on airpointer 2.4.107-2 was vulnerable local file inclusion. A malicious user with administrative privileges in the web portal would be able to manipulate requests to view files on the filesystem
6.5
CVE-2025-4633 - Default Credentials
Default credentials were present in the web portal for Airpointer 2.4.107-2, allowing an unauthenticated malicious actor to log in via the web portal
6.4
CVE-2025-5236 - NinjaTeam Chat for Telegram <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via uβ¦
The NinjaTeam Chat for Telegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βusernameβ parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lβ¦
4.3
CVE-2025-4431 - Featured Image Plus <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Featured Image β¦
The Featured Image Plus β Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackerβ¦
6.4
CVE-2025-4943 - LA-Studio Element Kit for Elementor <= 1.5.2 - Authenticated (Contributor+) DOM-Based Stored Cross-β¦
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βdata-lakit-element-linkβ parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attaβ¦
6.9
CVE-2025-47697 -
Client-side enforcement of server-side security issue exists in wivia 5 all versions. If exploited, an unauthenticated attacker may bypass authentication and operate the affected device as the moderator user.
5.1
CVE-2025-41406 -
Cross-site scripting vulnerability exists in wivia 5 all versions. If exploited, when a user connects to the affected device with a specific operation, an arbitrary script may be executed on the web browser of the moderator user.
7.1
CVE-2025-41385 -
An OS Command Injection issue exists in wivia 5 all versions. If this vulnerability is exploited, an arbitrary OS command may be executed by a logged-in administrative user.
8.1
CVE-2025-48936 - ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection
Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confβ¦
4.6
CVE-2025-48488 - FreeScout Vulnerable to Stored XSS
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, deleting the file .htaccess allows an attacker to upload an HTML file containing malicious JavaScript code to the server, which can result in a Cross-Site Scripting (XSS) vulnerability. This issue has been patchβ¦