| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories. |
| The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges. |
| GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28232. |
| The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. |
| An attacker could decrypt sensitive data, impersonate legitimate users
or devices, and potentially gain access to network resources for lateral
attacks. |
| This vulnerability arises because there are no limitations on the number
of authentication attempts a user can make. An attacker can exploit
this weakness by continuously sending authentication requests, leading
to a denial-of-service (DoS) condition. This can overwhelm the
authentication system, rendering it unavailable to legitimate users and
potentially causing service disruption. This can also allow attackers to
conduct brute-force attacks to gain unauthorized access. |
| This vulnerability occurs when a WebSocket endpoint does not enforce
proper authentication mechanisms, allowing unauthorized users to
establish connections. As a result, attackers can exploit this weakness
to gain unauthorized access to sensitive data or perform unauthorized
actions. Given that no authentication is required, this can lead to
privilege escalation and potentially compromise the security of the
entire system. |
| This vulnerability occurs when the system permits multiple simultaneous
connections to the backend using the same charging station ID. This can
result in unauthorized access, data inconsistency, or potential
manipulation of charging sessions. The lack of proper session management
and expiration control allows attackers to exploit this weakness by
reusing valid charging station IDs to establish multiple sessions
concurrently. |
| An attacker with access to the project file could use the exposed
credentials to impersonate users, escalate privileges, or gain
unauthorized access to systems and services. The absence of robust
encryption or secure handling mechanisms increases the likelihood of
this type of exploitation, leaving sensitive information more
vulnerable. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Rashy rashy allows PHP Local File Inclusion.This issue affects Rashy: from n/a through <= 1.1.3. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab iRecco Core irecco-core allows PHP Local File Inclusion.This issue affects iRecco Core: from n/a through <= 1.3.6. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player universal-video-player allows Reflected XSS.This issue affects Universal Video Player: from n/a through <= 3.8.4. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Reviews listingpro-reviews allows Reflected XSS.This issue affects ListingPro Reviews: from n/a through <= 1.7. |
| Missing Authorization vulnerability in FmeAddons Registration & Login with Mobile Phone Number for WooCommerce registration-login-with-mobile-phone-number allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Registration & Login with Mobile Phone Number for WooCommerce: from n/a through <= 1.3.1. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Logos Showcase superlogoshowcase-wp allows Reflected XSS.This issue affects Super Logos Showcase: from n/a through <= 2.8. |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder bm-builder allows Path Traversal.This issue affects BM Content Builder: from n/a through <= 3.16.3. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Hotel Listing hotel-listing allows Reflected XSS.This issue affects Hotel Listing: from n/a through <= 1.4.0. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes PartyMaker partymaker allows PHP Local File Inclusion.This issue affects PartyMaker: from n/a through <= 1.1.15. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion.This issue affects DiveIt: from n/a through <= 1.4.3. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion.This issue affects MoveMe: from n/a through <= 1.2.15. |
