CVE List - 2025 / October
Showing 3301 - 3400 of 4280 CVEs for October 2025 (Page 34 of 43)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-62711 | 2025-10-24 | Wasmtime vulnerable to segfault when using component resources |
| CVE-2025-12194 | 2025-10-24 | Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for... |
| CVE-2025-34500 | 2025-10-24 | Shuffle Master Deck Mate 2 Insecure Update Chain |
| CVE-2025-34502 | 2025-10-24 | Shuffle Master Deck Mate 2 Missing Secure Boot |
| CVE-2025-34503 | 2025-10-24 | Shuffle Master Deck Mate 1 Unauthenticated EEPROM Firmware Execution |
| CVE-2025-11760 | 2025-10-25 | eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams <= 1.5.6 - Unauthenticated Sensitive Information Exposure |
| CVE-2025-10579 | 2025-10-25 | BackWPup <= 5.5.0 - Missing Authorization to Sensitive Information Exposure |
| CVE-2025-11823 | 2025-10-25 | ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2025-11269 | 2025-10-25 | Product Filter by WBW <= 3.0.0 - Missing Authorization to Unauthenticated Settings Update |
| CVE-2025-11238 | 2025-10-25 | Watu Quiz <= 3.4.4 - Unauthenticated Stored Cross-Site Scripting via HTTP Referer |
| CVE-2025-8413 | 2025-10-25 | Listeo <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via soundcloud Shortcode |
| CVE-2025-6680 | 2025-10-25 | Tutor LMS <= 3.8.3 - Missing Authorization to Sensitive Information Exposure |
| CVE-2025-8666 | 2025-10-25 | Testimonial Carousel For Elementor <= 11.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets |
| CVE-2025-11564 | 2025-10-25 | Tutor LMS – eLearning and online course solution <= 3.8.3 - Missing Authorization to Unauthenticated Payment Status Update |
| CVE-2025-11244 | 2025-10-25 | Password Protected <= 2.7.11 - Unauthenticated Authorization Bypass via IP Address Spoofing |
| CVE-2025-8588 | 2025-10-25 | Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks <= 3.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-11879 | 2025-10-25 | GenerateBlocks <= 2.1.1 - Improper Authorization to Authenticated (Contributor+) Arbitrary Options Disclosure |
| CVE-2025-10737 | 2025-10-25 | Open Source Genesis Framework <= 3.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes |
| CVE-2025-11888 | 2025-10-25 | ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution <= 4.8.4 - Incorrect Authorization to Authenticated (Editor+) License Status Update |
| CVE-2025-6639 | 2025-10-25 | Tutor LMS Pro – eLearning and online course solution <= 3.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to View/Edit Other Assignments |
| CVE-2025-10694 | 2025-10-25 | User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds <= 1.8.0 - Missing Authorization to Information Disclosure |
| CVE-2025-12005 | 2025-10-25 | WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.41 - Improper Authorization to Authenticated (Contributor+) Plugin Settings Update |
| CVE-2025-12095 | 2025-10-25 | Simple Registration for WooCommerce <= 1.5.8 - Cross-Site Request Forgery to Privilege Escalation via Role Request Approval |
| CVE-2025-12034 | 2025-10-25 | Fast Velocity Minify <= 3.5.1 - Authenticated (Admin+) Stored Cross-Site Scripting |
| CVE-2025-10488 | 2025-10-25 | Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.4.8 - Authenticated (Subscriber+) Arbitrary File Move |
| CVE-2025-11893 | 2025-10-25 | Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.8.4 - Authenticated (Subscriber+) SQL Injection |
| CVE-2025-11497 | 2025-10-25 | Advanced Database Cleaner <= 3.1.6 - Cross-Site Request Forgery to Settings Manipulation |
| CVE-2025-11255 | 2025-10-25 | Password Policy Manager | Password Manager <= 2.0.5 - Missing Authorization to Authenticated (Subscriber+) Configuration Log Out |
| CVE-2025-10580 | 2025-10-25 | Widget Options – The #1 WordPress Widget & Block Control Plugin <= 4.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-9322 | 2025-10-25 | Stripe Payment Forms <= 8.3.1 - Unauthenticated SQL Injection |
| CVE-2025-8483 | 2025-10-25 | Discussion Board – WordPress Forum Plugin <= 2.5.5 - Authenticated (Subscriber+) Arbitrary Shortcode Execution |
| CVE-2025-10637 | 2025-10-25 | Social Feed Gallery <= 4.9.2 - Missing Authorization to Unauthenticated Information Exposure |
| CVE-2025-4203 | 2025-10-25 | wpForo Forum <= 2.4.8 - Unauthenticated SQL Injection via get_members Function |
| CVE-2025-8416 | 2025-10-25 | Product Filter by WBW <= 2.9.7 - Unauthenticated SQL Injection |
| CVE-2025-11976 | 2025-10-25 | FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) <= 1.1.23.0 - Cross-Site Request Forgery to Sync Rule Creation |
| CVE-2025-11875 | 2025-10-25 | SpendeOnline.org <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-11897 | 2025-10-25 | The7 — Ultimate WordPress & WooCommerce Theme <= 12.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'the7_fancy_title_css' |
| CVE-2025-12216 | 2025-10-25 | Malicious / Malformed App can be Installed but not Uninstalled |
| CVE-2025-12217 | 2025-10-25 | SNMP Default Community String (public) |
| CVE-2025-12218 | 2025-10-25 | Weak Default Credentials |
| CVE-2025-12219 | 2025-10-25 | Vulnerable Components in Azure Access OS |
| CVE-2025-12220 | 2025-10-25 | Busybox 1.31.1 - Multiple Known Vulnerabilities |
| CVE-2025-12221 | 2025-10-25 | CSRF Token not Properly Implemented |
| CVE-2025-55757 | 2025-10-25 | Extension - virtuemart.net - XSS in VirtueMart component 1.0.0 - 4.4.10 for Joomla |
| CVE-2025-8709 | 2025-10-26 | SQL Injection in langchain-ai/langchain |
| CVE-2025-12278 | 2025-10-26 | Logout Functionality not Working |
| CVE-2025-12275 | 2025-10-26 | Mail Configuration File Manipulation + Command Execution |
| CVE-2025-12284 | 2025-10-26 | Lack of Input Validation |
| CVE-2025-12285 | 2025-10-26 | Missing Initial Password Change |
| CVE-2025-11989 | 2025-10-26 | Missing Authorization in GitLab |
| CVE-2023-37749 | 2025-10-27 | Incorrect access control in the REST API endpoint of HubSpot v1.29441 allows unauthenticated attackers to view users' data without proper authorization. |
| CVE-2023-49440 | 2025-10-27 | AhnLab EPP 1.0.15 is vulnerable to SQL Injection via the "preview parameter." |
| CVE-2025-27222 | 2025-10-27 | TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/getCobrandingData endpoint to retrieve files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included.... |
| CVE-2025-27223 | 2025-10-27 | TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie,... |
| CVE-2025-27224 | 2025-10-27 | TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/fileupload endpoint to upload files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included.... |
| CVE-2025-27225 | 2025-10-27 | TRUfusion Enterprise through 7.10.4.0 exposes the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint to unauthenticated users. This endpoint discloses sensitive internal information including PII to unauthenticated attackers. |
| CVE-2025-52263 | 2025-10-27 | An issue in the Web Configuration module of Startcharge Artemis AC Charger 7-22 kW v1.0.4 allows authenticated network-adjacent attackers to upload crafted firmware, leading to arbitrary code execution. |
| CVE-2025-52264 | 2025-10-27 | StarCharge Artemis AC Charger 7-22 kW v1.0.4 was discovered to contain a stack overflow via the cgiMain function at download.cgi. |
| CVE-2025-52268 | 2025-10-27 | StarCharge Artemis AC Charger 7-22 kW v1.0.4 was discovered to contain a hardcoded AES key which allows attackers to forge or decrypt valid login tokens. |
| CVE-2025-54965 | 2025-10-27 | An XSS issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Status Service does not properly sanitize the job ID parameter before using it in the... |
| CVE-2025-54967 | 2025-10-27 | An issue was discovered in BAE SOCET GXP before 4.6.0.3. It permits external entities in certain XML-based files. An attacker who is able to social engineer a SOCET GXP user... |
| CVE-2025-54968 | 2025-10-27 | An issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Service does not require authentication. In some configurations, this may allow remote users to submit jobs,... |
| CVE-2025-54969 | 2025-10-27 | An issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Status Service does not implement CSRF protections. An attacker who social engineers a valid user into... |
| CVE-2025-54970 | 2025-10-27 | An issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Status Service fails to authenticate requests. In some configurations, this may allow remote or local users... |
| CVE-2025-60291 | 2025-10-27 | An issue was discovered in eTimeTrackLite Web thru 12.0 (20250704). There is a permission control flaw that allows unauthorized attackers to access specific routes and modify database connection configurations. |
| CVE-2025-60424 | 2025-10-27 | A lack of rate limiting in the OTP verification component of Nagios Fusion v2024R1.2 and v2024R2 allows attackers to bypass authentication via a bruteforce attack. |
| CVE-2025-60425 | 2025-10-27 | Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack. |
| CVE-2025-60791 | 2025-10-27 | Easywork Enterprise 2.1.3.354 is vulnerable to Cleartext Storage of Sensitive Information in Memory. The application leaves valid device-bound license keys in process memory after a failed activation attempt. The keys... |
| CVE-2025-60982 | 2025-10-27 | IDOR vulnerability in Educare ERP 1.0 (2025-04-22) allows unauthorized access to sensitive data via manipulated object references. Affected endpoints do not enforce proper authorization checks, allowing authenticated users to access... |
| CVE-2025-60983 | 2025-10-27 | Reflected Cross Site Scripting vulnerability in Rubikon Banking Solution 4.0.3 in the "Search For Customers Information" endpoints. |
| CVE-2025-61099 | 2025-10-27 | FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the opaque_info_detail function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS)... |
| CVE-2025-61100 | 2025-10-27 | FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the ospf_opaque_lsa_dump function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS)... |
| CVE-2025-61101 | 2025-10-27 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_rmt_itf_addr function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS)... |
| CVE-2025-61102 | 2025-10-27 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_adj_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS)... |
| CVE-2025-61105 | 2025-10-27 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_link_info function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS)... |
| CVE-2025-61247 | 2025-10-27 | indieka900 online-shopping-system-php 1.0 is vulnerable to SQL Injection in the password parameter of login.php. |
| CVE-2025-61385 | 2025-10-27 | SQL injection vulnerability in tlocke pg8000 1.31.4 allows remote attackers to execute arbitrary SQL commands via a specially crafted Python list input to function pg8000.native.literal. |
| CVE-2025-61481 | 2025-10-27 | An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by default, allowing an on-path attacker to execute injected JavaScript in the administrator’s... |
| CVE-2025-61482 | 2025-10-27 | Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines... |
| CVE-2025-11447 | 2025-10-27 | Allocation of Resources Without Limits or Throttling in GitLab |
| CVE-2025-11974 | 2025-10-27 | Allocation of Resources Without Limits or Throttling in GitLab |
| CVE-2025-11971 | 2025-10-27 | Incorrect Authorization in GitLab |
| CVE-2025-10497 | 2025-10-27 | Allocation of Resources Without Limits or Throttling in GitLab |
| CVE-2025-6601 | 2025-10-27 | Business Logic Errors in GitLab |
| CVE-2025-12201 | 2025-10-27 | ajayrandhawa User-Management-PHP-MYSQL User Management edit-user.php unrestricted upload |
| CVE-2025-12202 | 2025-10-27 | ajayrandhawa User-Management-PHP-MYSQL web cross-site request forgery |
| CVE-2025-62881 | 2025-10-27 | WordPress WP-Lister Lite for eBay plugin <= 3.8.3 - Broken Access Control vulnerability |
| CVE-2025-62882 | 2025-10-27 | WordPress Seriously Simple Podcasting plugin <= 3.13.0 - Broken Access Control vulnerability |
| CVE-2025-62883 | 2025-10-27 | WordPress Premmerce User Roles plugin <= 1.0.13 - Broken Access Control vulnerability |
| CVE-2025-62884 | 2025-10-27 | WordPress Coupon Affiliates plugin <= 7.0.3 - Broken Access Control vulnerability |
| CVE-2025-62885 | 2025-10-27 | WordPress WP VR plugin <= 8.5.42 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-62886 | 2025-10-27 | WordPress Pricing Table builder plugin <= 1.5.1 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2025-62887 | 2025-10-27 | WordPress King Addons for Elementor plugin <= 51.1.37 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-62889 | 2025-10-27 | WordPress King Addons for Elementor plugin <= 51.1.37 - Broken Access Control vulnerability |
| CVE-2025-62890 | 2025-10-27 | WordPress Premmerce Brands for WooCommerce plugin <= 1.2.13 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2025-62891 | 2025-10-27 | WordPress Off-Canvas Sidebars & Menus (Slidebars) plugin <= 0.5.8.5 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2025-62892 | 2025-10-27 | WordPress Sunshine Photo Cart plugin <= 3.5.3 - Broken Access Control vulnerability |
| CVE-2025-62893 | 2025-10-27 | WordPress Create by Mediavine plugin <= 1.9.14 - Insecure Direct Object References (IDOR) vulnerability |
| CVE-2025-62894 | 2025-10-27 | WordPress ACF Recent Posts Widget plugin <= 5.9.3 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-62895 | 2025-10-27 | WordPress Atarim plugin <= 4.2 - Sensitive Data Exposure vulnerability |