2.1
CVE-2025-47929 - DumbDrop vulnerable to DOM XSS via file upload
DumbDrop, a file upload application that provides an interface for dragging and dropping files, has a DOM cross-site scripting vulnerability in the upload functionality prior to commit db27b25372eb9071e63583d8faed2111a2b79f1b. A user could be tricked into uploading a file with a malicious payload. β¦
4.3
CVE-2025-1138 - IBM Information Server information disclosure
IBM InfoSphere Information Server 11.7 could disclose sensitive information to an authenticated user that could aid in further attacks against the system through a directory listing.
0.0
CVE-2025-4801 -
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
9.1
CVE-2025-47928 - Spotipy repo vulnerable to secrets exfiltration via `pull_request_target`
Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using `pull_request_target` on `.github/workflows/integration_tests.yml` followed by the checking out the head.sha of a forked PR can be exploited by attackers, since untrusted code can be exβ¦
4.3
CVE-2024-8009 - Sensei LMS < 4.20.0 - Teacher+ Users Email Address Disclosure
The Sensei LMS WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page
3.5
CVE-2024-6711 - Event Tickets with Ticket Scanner < 2.3.8 - Admin+ Stored XSS
The Event Tickets with Ticket Scanner WordPress plugin before 2.3.8 does not sanitise and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks
6.4
CVE-2024-4665 - EventPrime β Events Calendar, Bookings and Tickets < 3.5.0 - Subscriber+ Arbitrary booking settingβ¦
The EventPrime WordPress plugin before 3.5.0 does not properly validate permissions when updating bookings, allowing users to change/cancel bookings for other users. Additionally, the feature is lacking a nonce.
3.5
CVE-2024-4091 - Responsive Gallery Grid < 2.3.15 - Admin+ Stored XSS
The Responsive Gallery Grid WordPress plugin before 2.3.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
3.5
CVE-2024-4004 - Advanced Cron Manager < 2.5.7 - Admin+ Stored XSS
The Advanced Cron Manager WordPress plugin before 2.5.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
3.5
CVE-2024-4002 - Carousel, Slider, Gallery by WP Carousel < 2.6.9 - Editor+ Stored XSS
The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in mβ¦