Latest Vulnerabilities

In the past week, there has been a surge of security vulnerabilities across various platforms and applications. Notable issues include SQL injection vulnerabilities in CoinRemitter and Dreamvention Live, as well as multiple Cross-Site Scripting (XSS) vulnerabilities in Joplin and newbee-mall, which could potentially allow attackers to execute arbitrary code. Additionally, serious flaws have been identified in Connect-CMS and SFTPGo, raising concerns about user data access and command execution. The trending issues underscore the ongoing challenges organizations face in securing their systems against exploitation, highlighting the need for vigilance and prompt action.

IBM PowerHA SystemMirror for IBM iIBM-7180036

First published (updated )

IBM WebSphere AutomationIBM-7179994

First published (updated )

CoinRemitterCoinRemitter sql injection

high
7.5
First published (updated )

WordPress Simple add pages or postsSimple add pages or posts <= 2.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

medium
5.5
First published (updated )

Dreamvention Live AJAX Search FreeDreamvention Live AJAX Search Free live_search.searchresults search sql injection

high
7.5
First published (updated )

RT-ThreadRT-Thread lwp_syscall.c sys_thread_create information disclosure

medium
4.8
First published (updated )

CVE-2025-1096Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in…

First published (updated )

JoplinCross-site Scripting in Goto Anything allows arbitrary code execution in Joplin

high
7.8
EPSS
0.04%
First published (updated )

newbee-mallnewbee-mall Add Category Page save cross site scripting

medium
5.1
First published (updated )

JoplinCross-site Scripting (XSS) in Rich Text Editor allows arbitrary code execution in Joplin

high
7.8
EPSS
0.04%
First published (updated )

JoplinDOM Clobbering leads to temporary DOS in the note viewer in Joplin

low
3.3
First published (updated )

Taisin Tarzan-CMStaisan tarzan-cms Add Theme admin#themes upload deserialization

medium
6.5
First published (updated )

composer/opensource-workshop/connect-cmsInfoleak

First published (updated )

composer/opensource-workshop/connect-cms### Impact(影響) There is an Access control vulnerability on the management system of Connect-CMS. Af…

medium
4.3
First published (updated )

pip/xml2rfcPath Traversal

First published (updated )

go/github.com/drakkan/sftpgoOS Command Injection

high
7.5
First published (updated )

go/github.com/drakkan/sftpgoInsufficient sanitization of user provided rsync command in SFTPGo

high
7.5
EPSS
0.04%
First published (updated )

composer/pimcore/admin-ui-classic-bundleDescription Summary Pimcore Admin Classic Bundle allows attackers to enumerate valid accounts becau…

First published (updated )

vLLM vLLMvLLM using built-in hash() from Python 3.12 leads to predictable hash collisions in vLLM prefix cache

low
2.6
EPSS
0.04%
First published (updated )

Pimcore admin-ui-classic-bundleUser enumeration in pimcore/admin-ui-classic-bundle

medium
6.9
EPSS
0.04%
First published (updated )

RISC RISC PlatformImproper authorization related to Import / Export interfaces on RISC Platform

medium
5.3
First published (updated )

RISC RISC Platform2FA Bypass on the RISC Platform

low
2.3
First published (updated )

PuppetDeserialization of untrusted data

medium
6.6
First published (updated )

CmsEasyCmsEasy database_admin.php restore_action path traversal

medium
5.5
First published (updated )

CVE-2025-0307Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

First published (updated )

Siberiancms SiberiancmsSiberianCMS HTTP GET Request flat cross site scripting

medium
5.3
First published (updated )

CVE-2022-26389Improper Access Control Vulnerability in ELI Electrocardiograph Devices

high
7.7
First published (updated )

CVE-2022-26388Use of Hard-Coded Password Vulnerability in ELI Electrocardiograph Devices

medium
6.4
First published (updated )

D-Link DHP-W310AVD-Link DHP-W310AV authentication spoofing

high
7.5
First published (updated )

WP All ExportWP All Export Pro <= 1.9.1 - Authenticated (ShopManager+) Arbtirary Options Update

medium
6.8
First published (updated )

WP All ExportWP All Export Pro <= 1.9.1 - Unauthenticated Remote Code Execution via Custom Export Fields

high
8.3
First published (updated )

WP All ImportWP All Import Pro <= 4.9.7 - Cross-Site Request Forgery to Imported Content Deletion

medium
4.3
First published (updated )

WP All ImportWP All Import Pro <= 4.9.7 - Authenticated (Administrator+) PHP Object Injection via Import File

high
7.2
First published (updated )

D-Link DIR-823X AX3000 Dual-Band Gigabit Wireless RouterD-Link DIR-823X HTTP POST Request set_wifi_blacklists null pointer dereference

high
7.1
First published (updated )

GitLabImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab VSCode Fork

high
8.7
First published (updated )

Janto JantoInsufficient data authenticity vulnerability in Janto

high
8.6
First published (updated )

Janto JantoUnverified password change vulnerability in Janto

critical
9.9
First published (updated )

Apache KvrocksApache Kvrocks: Cross-Protocol Scripting Vulnerability

EPSS
0.04%
First published (updated )

blackandwhitedigital BookPressWordPress BookPress – For Book Authors Plugin <= 1.2.7 - Broken Access Control vulnerability

high
8.2
EPSS
0.04%
First published (updated )

blackandwhitedigital BookPressWordPress BookPress – For Book Authors Plugin <= 1.2.7 - CSRF to Stored XSS vulnerability

high
7.1
EPSS
0.04%
First published (updated )

InLocationWordPress InLocation plugin <= 1.8 - Cross Site Scripting (XSS) vulnerability

high
7.1
EPSS
0.04%
First published (updated )

WordPress Plugin A/B Image OptimizerWordPress Plugin A/B Image Optimizer Plugin <= 3.3 - Arbitrary File Download vulnerability

high
7.5
EPSS
0.04%
First published (updated )

scweber Custom Comment NotificationsWordPress Custom Comment Notifications plugin <= 1.0.8 - CSRF to Stored XSS vulnerability

high
7.1
EPSS
0.04%
First published (updated )

efreja Music Sheet ViewerWordPress Music Sheet Viewer plugin <= 4.1 - Arbitrary File Read vulnerability

high
7.5
EPSS
0.04%
First published (updated )

Mark Barnes Style TweakerWordPress Style Tweaker plugin <= 0.11 - CSRF to Stored XSS vulnerability

high
7.1
EPSS
0.04%
First published (updated )

WordPress WP doodlezWordPress WP doodlez plugin <= 1.0.10 - Cross Site Scripting (XSS) vulnerability

high
7.1
EPSS
0.04%
First published (updated )

Smart DoFollowWordPress Smart DoFollow plugin <= 1.0.2 - CSRF to Stored XSS vulnerability

high
7.1
EPSS
0.04%
First published (updated )

Stanko Metodiev Quote CommentsWordPress Quote Comments plugin <= 2.2.1 - CSRF to Stored XSS vulnerability

high
7.1
EPSS
0.04%
First published (updated )

WordPress Simple Auto TagWordPress Simple Auto Tag plugin <= 1.1 - CSRF to Stored XSS vulnerability

high
7.1
EPSS
0.04%
First published (updated )

TheasysWordPress Theasys plugin <= 1.0.1 - CSRF to Stored XSS vulnerability

high
7.1
EPSS
0.04%
First published (updated )

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203