Latest Vulnerabilities

In the past week, numerous vulnerabilities affecting a variety of software have come to light, highlighting a broad range of security issues that could put users at risk. WordPress plugins, particularly Tripetto and Contact Manager, have shown weaknesses that allow unauthorized file uploads. In addition, several vulnerabilities in Adobe Experience Manager point to serious cross-site scripting flaws, posing risks to user data. Other notable vulnerabilities include issues with Veeam Updater that could enable man-in-the-middle attacks, and local privilege escalation problems in Parallels Desktop and Omnissa Horizon Client for macOS. These findings emphasize the need for vigilance in keeping software updated.

IBM PowerHA SystemMirror for IBM iIBM-7180036

First published (updated )
IBM-7180036

IBM WebSphere AutomationIBM-7179994

First published (updated )
IBM-7179994

Tripetto TripettoWordPress form builder plugin for contact forms, surveys and quizzes – Tripetto <= 8.0.8 - Unauthenticated Sensitive Information Exposure

medium
5.3
First published (updated )
CVE-2024-13829

CockpitMalicious File Upload

high
7.7
First published (updated )
CVE-2025-1025

Spatie BrowsershotInput Validation

high
8.8
First published (updated )
CVE-2025-1022

Spatie BrowsershotInput Validation

high
8.6
First published (updated )
CVE-2025-1026

WordPress Contact ManagerContact Manager <= 8.6.4 - Unauthenticated Arbitrary Double File Extension Upload

high
8.1
First published (updated )
CVE-2025-1028

Veeam UpdaterA vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary c…

critical
9
First published (updated )
CVE-2025-23114

NETGEAR XR1000 firmwareCode Injection

high
8.1
First published (updated )
CVE-2025-25246

Ubuntu LinuxKerberos vulnerability

First published (updated )
USN-7257-1

redhat/libsoupImportant: libsoup security update

high
7
First published (updated )
RHSA-2025:1047

Adobe Experience ManagerAdobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

medium
5.4
First published (updated )
CVE-2024-53962

Adobe Experience ManagerAdobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)

medium
5.4
First published (updated )
CVE-2024-53963

Adobe Experience ManagerAdobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

medium
5.4
First published (updated )
CVE-2024-53966

Adobe Experience ManagerAdobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

medium
5.4
First published (updated )
CVE-2024-53964

Adobe Experience ManagerAdobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)

medium
5.4
First published (updated )
CVE-2024-53965

Parallels Desktop for MacParallels Desktop Technical Data Reporter Link Following Local Privilege Escalation Vulnerability

high
7.8
First published (updated )
CVE-2025-0413

Omnissa Horizon ClientOmnissa Horizon Client for macOS contains a Local privilege escalation (LPE) Vulnerability due to a …

high
7.8
First published (updated )
CVE-2024-11468

CVE-2023-39943Ashlar-Vellum Cobalt, Xenon, Argon, Lithium Out-of-bounds Write

high
8.4
First published (updated )
CVE-2023-39943

Ashlar-Vellum CobaltAshlar-Vellum Cobalt, Xenon, Argon, Lithium Heap-based Buffer Overflow

high
8.4
First published (updated )
CVE-2023-40222

Omnissa Horizon ClientOmnissa Horizon Client for macOS contains a Local privilege escalation (LPE) Vulnerability due to a …

high
7.8
First published (updated )
CVE-2024-11467

Checkmk NagVisCheckmk NagVis Reflected Cross-site Scripting

First published (updated )
CVE-2024-13722

Checkmk NagVisCheckmk NagVis Remote Code Execution

First published (updated )
CVE-2024-13723

swift/github.com/sparkle-project/SparkleA security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing sign…

high
7.4
First published (updated )
GHSA-wc9m-r3v6-9p5h

OpenText Content ManagementA remote code vulnerability has been discovered in OpenText™ Content Management.

medium
5.4
First published (updated )
CVE-2024-8125

go/github.com/edgelesssys/marblerun### Impact During recovery, a Coordinator only verifies that a given recovery key decrypts the seal…

high
7.1
First published (updated )
GHSA-w7wm-2425-7p2h

Discourse DiscourseCross-site Scripting (XSS) via topic titles when CSP disabled in Discourse

medium
4.3
First published (updated )
CVE-2024-53266

Discourse DiscoursePartial denial of service via inline oneboxes in Discourse

medium
4.3
First published (updated )
CVE-2024-53851

Discourse DiscourseDiscourse is an open source platform for community discussion. In affected versions an attacker can …

high
8.2
First published (updated )
CVE-2025-23023

Discourse DiscoursePotential bypass of chat permissions in Discourse

medium
4.3
First published (updated )
CVE-2024-53994

Discourse DiscourseAnonymous cache poisoning via XHR requests in Discourse

high
8.2
First published (updated )
CVE-2024-55948

Discourse DiscourseUsers can see other user's tagged PMs in Discourse

low
2.2
First published (updated )
CVE-2024-56197

Discourse DiscourseHTMLi(XSS without CSP) via Onebox urls in Discourse

medium
6.5
First published (updated )
CVE-2024-56328

Discourse DiscourseClient Side Path Traversal using activate account route in Discourse

low
3.1
First published (updated )
CVE-2025-22601

Discourse DiscourseStored DOM-based XSS (without CSP) via video placeholders in Discourse

medium
6.5
First published (updated )
CVE-2025-22602

SparkleSigning Checks Bypass

high
7.3
First published (updated )
CVE-2025-0509

Western Telematic Inc Network Power Switch (NPS Series)Western Telematic Inc NPS Series, DSM Series, CPM Series External Control of File Name or Path

medium
6.5
First published (updated )
CVE-2025-0630

AutomationDirect C-more EA9 HMIAutomationDirect C-more EA9 HMI Classic Buffer Overflow

critical
9.8
First published (updated )
CVE-2025-0960

reNgineBusiness Logic And Unrestricted Project Deletion Lead To Take Over the System in reNgine

high
8.8
First published (updated )
CVE-2025-24968

reNgineStored XSS on Admin Panel When Deleting a User in reNgine

high
7.4
First published (updated )
CVE-2025-24967

reNgineHTML Injection in reNgine

medium
5.3
First published (updated )
CVE-2025-24966

rust/cosmwasm-vm# CWA-2025-002 **Severity** Medium (Moderate + Likely)[^1] **Affected versions:** - wasmvm >= 2.…

First published (updated )
GHSA-mx2j-7cmv-353c

go/github.com/CosmWasm/wasmvm/v2Null Pointer Dereference

First published (updated )
GHSA-23qp-3c2m-xx6w

DumpDropOS Command Injection endpoint '/upload/init' parameter 'filename' (RCE) in DumpDrop

critical
9.5
First published (updated )
CVE-2025-24971

WordPress PDF Invoices & Packing Slips for WooCommerceUnrestricted Access to PDF Documents via URL Manipulation in woocommerce-pdf-invoices-packing-slips

medium
6.3
First published (updated )
CVE-2025-24373

Aruba ClearPass Policy ManagerAuthenticated Remote Command Injection in HPE Aruba Networking ClearPass Policy Manager Web-Based Management Interface

medium
4.7
First published (updated )
CVE-2025-25039

Aruba ClearPass Policy ManagerSensitive Data Exposure Vulnerability in HPE Aruba Networking ClearPass Policy Manager (CPPM)

medium
6.6
First published (updated )
CVE-2025-23060

Aruba ClearPass Policy ManagerSensitive Information Disclosure in HPE Aruba Networking ClearPass Policy Manager

medium
6.8
First published (updated )
CVE-2025-23059

Hewlett Packard ClearPass Policy ManagerAuthenticated Broken Access Control Vulnerability in ClearPass Policy Manager Web-Based Management Interface

high
8.8
First published (updated )
CVE-2025-23058

BigAnt ServerBigAntSoft BigAnt Server Account Registration Bypass to File Upload RCE

critical
9.8
First published (updated )
CVE-2025-0364

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203