| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined. |
| The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin. |
| Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.
These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. |
| Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection.This issue affects Teknoera: through 01102025. |
| Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its value by trying to enumerate all possible values through observing error messages of SET property.
We recommend upgrading to 2025.11.2 or 5.26.17 and above, where the issues is fixed. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS.This issue affects TheNa: from n/a through <= 1.5.5. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS.This issue affects Anon: from n/a through <= 2.2.10. |
| Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery.This issue affects WP SEO Search: from n/a through <= 1.1. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.7.7. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle theaisle allows PHP Local File Inclusion.This issue affects The Aisle: from n/a through < 2.9.1. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion.This issue affects Listivo Core: from n/a through <= 2.3.77. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach® CleverReach® WP cleverreach-wp allows SQL Injection.This issue affects CleverReach® WP: from n/a through <= 1.5.22. |
| Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.1.1. |
| Missing Authorization vulnerability in Scalenut Scalenut scalenut allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Scalenut: from n/a through <= 1.1.3. |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal.This issue affects Anona: from n/a through <= 8.0. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Frontend Submit jnews-frontend-submit allows Reflected XSS.This issue affects JNews - Frontend Submit: from n/a through <= 11.0.0. |
| Deserialization of Untrusted Data vulnerability in themeton Consult Aid consultaid allows Object Injection.This issue affects Consult Aid: from n/a through <= 1.4.3. |
| Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection.This issue affects Kids Heaven: from n/a through <= 3.2. |
| Unrestricted Upload of File with Dangerous Type vulnerability in garidium g-FFL Checkout g-ffl-checkout allows Upload a Web Shell to a Web Server.This issue affects g-FFL Checkout: from n/a through <= 2.1.0. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dmytro Shteflyuk CodeColorer codecolorer allows Stored XSS.This issue affects CodeColorer: from n/a through <= 0.10.1. |
