CVE List - 2025 / November
Showing 1 - 100 of 1779 CVEs for November 2025 (Page 1 of 18)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-11174 | 2025-11-01 | Document Library Lite <= 1.1.6 - Missing Authorization to Sensitive Information Exposure |
| CVE-2025-11920 | 2025-11-01 | WPCOM Member <= 1.7.14 - Authenticated (Contributor+) Local File Inclusion via Shortcode |
| CVE-2025-11922 | 2025-11-01 | Inactive Logout <= 3.5.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting |
| CVE-2025-62275 | 2025-11-01 | Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does... |
| CVE-2025-11833 | 2025-11-01 | Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.0 - Missing Authorization to Account Takeover via Unauthenticated Email Log Disclosure |
| CVE-2025-12367 | 2025-11-01 | SiteSEO – SEO Simplified <= 1.3.1 - Missing Authorization to Authenticated (Author+) Plugin Settings Update |
| CVE-2025-11928 | 2025-11-01 | CSS & JavaScript Toolbox <= 12.0.5 - Authenticated (Admin+) Stored Cross-Site Scripting |
| CVE-2025-11377 | 2025-11-01 | List category posts <= 0.92.0 - Authenticated (Contributor+) Information Exposure |
| CVE-2025-11995 | 2025-11-01 | Community Events <= 1.5.2 - Unauthenticated Stored Cross-Site Scripting |
| CVE-2025-12118 | 2025-11-01 | Schema Scalpel <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title in JSON-LD Schema |
| CVE-2025-5949 | 2025-11-01 | Service Finder Bookings <= 6.0 - Authenticated (Subscriber+) Privilege Escalation via change_candidate_password |
| CVE-2025-11927 | 2025-11-01 | Flying Images: Optimize and Lazy Load Images for Faster Page Speed <= 2.4.14 - Authenticated (Admin+) Stored Cross-Site Scripting |
| CVE-2025-12180 | 2025-11-01 | Qi Blocks <= 1.4.3 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update |
| CVE-2025-12090 | 2025-11-01 | Employee Spotlight – Team Member Showcase & Meet the Team Plugin <= 5.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-11983 | 2025-11-01 | WP Discourse <= 2.5.9 - Authenticated (Author+) Information Exposure |
| CVE-2025-12038 | 2025-11-01 | Folderly <= 0.3 - Incorrect Authorization to Authenticated (Author+) Term Deletion |
| CVE-2025-11740 | 2025-11-01 | wpForo Forum <= 2.4.9 - Authenticated (Susbscriber+) SQL Injection |
| CVE-2025-11502 | 2025-11-01 | Schema & Structured Data for WP & AMP <= 1.51 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-6574 | 2025-11-01 | Service Finder Bookings < 6.1 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover |
| CVE-2025-11499 | 2025-11-01 | Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent <= 1.1.32 - Unauthenticated Arbitrary File Upload |
| CVE-2025-10487 | 2025-11-01 | Advanced Ads <= 2.0.12 - Unauthenticated Limited Code Execution |
| CVE-2025-11755 | 2025-11-01 | Delicious Recipes <= 1.9.0 - Authenticated (Contributor+) Arbitrary File Upload |
| CVE-2025-12171 | 2025-11-01 | RESTful Content Syndication 1.1.0 - 1.5.0 - Authenticated (Contributor+) Arbitrary File Upload |
| CVE-2025-12137 | 2025-11-01 | Import WP – Export and Import CSV and XML files to WordPress <= 2.14.16 - Authenticated (Admin+) Arbitrary File Read |
| CVE-2025-6990 | 2025-11-01 | Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution |
| CVE-2025-6988 | 2025-11-01 | Kallyas <= 4.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-36367 | 2025-11-01 | IBM i is affected by a privilege escalation in IBM i SQL services |
| CVE-2025-12599 | 2025-11-01 | Multiple Devices are Sharing the Same Secrets for SDKSocket (TCP/5000) |
| CVE-2025-12600 | 2025-11-01 | Web UI Malfunction |
| CVE-2025-12601 | 2025-11-01 | Denial of Service Due to SlowLoris |
| CVE-2025-12602 | 2025-11-01 | /etc/avahi/services/z9.service can be Arbitrarily Written |
| CVE-2025-12603 | 2025-11-01 | /etc/timezone can be Arbitrarily Written |
| CVE-2025-12593 | 2025-11-02 | code-projects Simple Online Hotel Reservation System Photo edit_room.php unrestricted upload |
| CVE-2025-12594 | 2025-11-02 | code-projects Simple Online Hotel Reservation System add_account.php sql injection |
| CVE-2025-12595 | 2025-11-02 | Tenda AC23 SetVirtualServerCfg formSetVirtualSer buffer overflow |
| CVE-2025-12596 | 2025-11-02 | Tenda AC23 saveParentControlInfo buffer overflow |
| CVE-2025-12597 | 2025-11-02 | SourceCodester Best House Rental Management System admin_class.php save_category sql injection |
| CVE-2025-12598 | 2025-11-02 | SourceCodester Best House Rental Management System admin_class.php save_tenant sql injection |
| CVE-2025-12604 | 2025-11-02 | itsourcecode Online Loan Management System load_fields.php sql injection |
| CVE-2025-12605 | 2025-11-02 | itsourcecode Online Loan Management System manage_loan.php sql injection |
| CVE-2025-12606 | 2025-11-02 | itsourcecode Online Loan Management System manage_borrower.php sql injection |
| CVE-2024-51317 | 2025-11-03 | An issue in NetSurf v.3.11 allows a remote attacker to execute arbitrary code via the dom_node_normalize function |
| CVE-2025-29699 | 2025-11-03 | NetSurf 3.11 is vulnerable to Use After Free in dom_node_set_text_content function. |
| CVE-2025-45663 | 2025-11-03 | An issue in NetSurf v3.11 causes the application to read uninitialized heap memory when creating a dom_event structure. |
| CVE-2025-50363 | 2025-11-03 | Phpgurukul Maid Hiring Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in /maid-hiring.php va the name field. |
| CVE-2025-50735 | 2025-11-03 | Directory traversal vulnerability in NextChat thru 2.16.0 due to the WebDAV proxy failing to canonicalize or reject dot path segments in its catch-all route, allowing attackers to gain sensitive information... |
| CVE-2025-60503 | 2025-11-03 | A cross-site scripting (XSS) vulnerability exists in the administrative interface of ultimatefosters UltimatePOS 4.8 where input submitted in the purchase functionality is reflected without proper escaping in the admin log... |
| CVE-2025-60785 | 2025-11-03 | A remote code execution (RCE) vulnerability in the Postgres Drivers component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via a crafted HTML page. |
| CVE-2025-60892 | 2025-11-03 | An issue in Raspberry Pi Imager version 1.9.6 for Windows, affecting its OS customization feature. The imager's 'public-key authentication' setting unintentionally re-adds a user's id_rsa.pub key from their local Windows... |
| CVE-2025-63293 | 2025-11-03 | FairSketch Rise Ultimate Project Manager & CRM 3.9.4 is vulnerable to Insecure Permissions. A remote authenticated user can append comments or upload attachments to tickets for which they lack view... |
| CVE-2025-63441 | 2025-11-03 | Open Source Social Network (OSSN) 8.6 is vulnerable to Cross Site Scripting (XSS) via the parameter param` at endpoint u/administrator/friends. |
| CVE-2025-63442 | 2025-11-03 | Simple User Management System with PHP-MySQL v1.0 is vulnerable to Cross-Site Scripting (XSS) via the Profile Section. The system fails to properly sanitize user input, allowing attackers to inject and... |
| CVE-2025-63443 | 2025-11-03 | School Management System PHP v1.0 is vulnerable to Cross Site Scripting (XSS) in /login.php via the password parameter. |
| CVE-2025-63446 | 2025-11-03 | Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /add_vendor.php. |
| CVE-2025-63447 | 2025-11-03 | Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /add_customer.php. |
| CVE-2025-63448 | 2025-11-03 | Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /edit_product.php?id=1. |
| CVE-2025-63449 | 2025-11-03 | Water Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /orders.php. |
| CVE-2025-63450 | 2025-11-03 | Car-Booking-System-PHP v.1.0 is vulnerable to Cross Site Scripting (XSS) in /carlux/booking.php. |
| CVE-2025-63451 | 2025-11-03 | Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/sign-in.php. |
| CVE-2025-63452 | 2025-11-03 | Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/forgot-pass.php. |
| CVE-2025-63453 | 2025-11-03 | Car-Booking-System-PHP v.1.0 is vulnerable to SQL Injection in /carlux/contact.php. |
| CVE-2025-63593 | 2025-11-03 | Grav CMS1.7.49.5 is vulnerable to Cross Site Scripting (XSS). |
| CVE-2025-12607 | 2025-11-03 | itsourcecode Online Loan Management System manage_payment.php sql injection |
| CVE-2025-12608 | 2025-11-03 | itsourcecode Online Loan Management System manage_user.php sql injection |
| CVE-2025-12609 | 2025-11-03 | CodeAstro Gym Management System update-progress.php sql injection |
| CVE-2025-12610 | 2025-11-03 | CodeAstro Gym Management System view-progress-report.php sql injection |
| CVE-2025-12611 | 2025-11-03 | Tenda AC21 SetPptpServerCfg formSetPPTPServer buffer overflow |
| CVE-2025-12612 | 2025-11-03 | Campcodes School Fees Payment Management System ajax.php sql injection |
| CVE-2025-12614 | 2025-11-03 | SourceCodester Best House Rental Management System admin_class.php delete_payment sql injection |
| CVE-2025-12615 | 2025-11-03 | PHPGurukul News Portal settings.py hard-coded key |
| CVE-2025-12616 | 2025-11-03 | PHPGurukul News Portal settings.py insertion of sensitive information into debugging code |
| CVE-2025-12617 | 2025-11-03 | itsourcecode Billing System login_crud.php sql injection |
| CVE-2025-12618 | 2025-11-03 | Tenda AC8 DatabaseIniSet buffer overflow |
| CVE-2025-12503 | 2025-11-03 | Digiwin|EasyFlow .NET and EasyFlow AiNet |
| CVE-2025-12619 | 2025-11-03 | Tenda A15 openNetworkGateway fromSetWirelessRepeat buffer overflow |
| CVE-2025-12622 | 2025-11-03 | Tenda AC10 SysRunCmd formSysRunCmd buffer overflow |
| CVE-2025-48396 | 2025-11-03 | Arbitrary code execution is possible due to improper validation of the file upload functionality in Eaton BLSS. This security issue has been fixed in the latest script patch latest version... |
| CVE-2025-12623 | 2025-11-03 | fushengqian fuint Authentication Token ClientSignController.java authorization |
| CVE-2025-48397 | 2025-11-03 | The privileged user could log in without sufficient credentials after enabling an application protocol. This security issue has been fixed in the latest script patch latest version of of Eaton... |
| CVE-2025-0987 | 2025-11-03 | IDOR in CB Project's CVLand |
| CVE-2025-40107 | 2025-11-03 | can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled |
| CVE-2025-12626 | 2025-11-03 | jeecgboot jeewx-boot WxActGoldeneggsPrizesController.java getImgUrl path traversal |
| CVE-2025-64294 | 2025-11-03 | WordPress WP Snow Effect plugin <= 1.1.15 - Broken Access Control to Notice Dismissal vulnerability |
| CVE-2025-8900 | 2025-11-03 | Doccure Core < 1.5.4 - Unauthenticated Privilege Escalation |
| CVE-2025-11761 | 2025-11-03 | HP Client Management Script Library – Security Update |
| CVE-2025-36091 | 2025-11-03 | IBM Business Automation Insights unverified ownership |
| CVE-2025-36092 | 2025-11-03 | IBM Business Automation Insights improper input validation |
| CVE-2025-36093 | 2025-11-03 | security vulnerabilities are addressed with IBM Business Automation Insights iFixes for October 2025. |
| CVE-2025-11953 | 2025-11-03 | Command injection in React Native Community CLI allows remote attackers to perform remote code execution by sending HTTP requests |
| CVE-2025-10280 | 2025-11-03 | Incorrect Content Type Cross-Site Scripting Vulnerability |
| CVE-2025-12463 | 2025-11-03 | Unauthenticated SQL Injection in Guetebruck G-Cam Series Cameras |
| CVE-2025-8558 | 2025-11-03 | Insider Threat Management (ITM) Server versions prior to 7.17.2 contain an authentication bypass vulnerability that allows unauthenticated users on an adjacent network to perform agent unregistration when the number of... |
| CVE-2025-12642 | 2025-11-03 | HTTP Header Smuggling via Trailer Merge |
| CVE-2025-12531 | 2025-11-03 | IBM InfoSphere Information Server is affected by an XML external entity injection (XXE) vulnerability |
| CVE-2025-12657 | 2025-11-03 | Malformed KMIP response may result in access violation |
| CVE-2025-36172 | 2025-11-03 | Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for 24.0.0-IF007, 24.0.1-IF005 and 25.0.0-IF002 |
| CVE-2025-11193 | 2025-11-03 | A potential vulnerability was reported in some Lenovo Tablets that could allow a local authenticated user or application to gain access to sensitive device specific information. |
| CVE-2024-13998 | 2025-11-03 | Nagios XI < 2024R1.1.3 API Keys & Hashed Passwords Authenticated Information Disclosure |
| CVE-2024-13997 | 2025-11-03 | Nagios XI < 2024R1.1.3 Privilege Escalation via Migrate Server Feature to Root on Host |
| CVE-2021-47698 | 2025-11-03 | Nagios XI < 5.8.7 XSS in Core UI Views URL handling |