CVE List - 2025 / November
Showing 1601 - 1700 of 1779 CVEs for November 2025 (Page 17 of 18)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-64379 | 2025-11-13 | WordPress Booster for WooCommerce plugin <= 7.4.0 - Broken Access Control vulnerability |
| CVE-2025-64380 | 2025-11-13 | WordPress Booster for WooCommerce plugin <= 7.3.2 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-64381 | 2025-11-13 | WordPress Booking Calendar plugin <= 10.14.7 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-64382 | 2025-11-13 | WordPress Order Export & Order Import for WooCommerce plugin <= 2.6.7 - Broken Access Control vulnerability |
| CVE-2025-64383 | 2025-11-13 | WordPress Qi Blocks plugin <= 1.4.3 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-64384 | 2025-11-13 | WordPress JetFormBuilder plugin <= 3.5.3 - Broken Access Control vulnerability |
| CVE-2025-12377 | 2025-11-13 | Gallery Plugin for WordPress – Envira Photo Gallery <= 1.12.0 - Missing Authorization to Authenticated (Author+) Multiple Gallery Actions |
| CVE-2025-40681 | 2025-11-13 | Cross-Site Scripting (XSS) in xCally Omnichannel |
| CVE-2025-12762 | 2025-11-13 | Remote Code Execution vulnerability when restoring PLAIN-format SQL dumps in server mode (pgAdmin 4) |
| CVE-2025-12763 | 2025-11-13 | Command injection vulnerability allowing arbitrary command execution on Windows |
| CVE-2025-12764 | 2025-11-13 | pgAdmin 4: LDAP injection vulnerability in LDAP authentication flow. |
| CVE-2025-12765 | 2025-11-13 | pgAdmin 4: LDAP authentication flow vulnerable to TLS certificate verification bypass. |
| CVE-2025-12817 | 2025-11-13 | PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege |
| CVE-2025-12818 | 2025-11-13 | PostgreSQL libpq undersizes allocations, via integer wraparound |
| CVE-2025-41069 | 2025-11-13 | Insecure Direct Object References (IDOR) in DeporSite of T-Innova DeporSite |
| CVE-2025-13114 | 2025-11-13 | macrozheng mall-swarm attr updateAttr improper authorization |
| CVE-2025-13115 | 2025-11-13 | macrozheng mall-swarm Order Details detail improper authorization |
| CVE-2025-13116 | 2025-11-13 | macrozheng mall-swarm cancelUserOrder improper authorization |
| CVE-2025-64738 | 2025-11-13 | Zoom Workplace for macOS - External Control of File Name or Path |
| CVE-2025-64739 | 2025-11-13 | Zoom Clients - External Control of File Name or Path |
| CVE-2025-13117 | 2025-11-13 | macrozheng mall-swarm cancelOrder improper authorization |
| CVE-2025-64740 | 2025-11-13 | Zoom Workplace VDI Client for Windows - Improper Verification of Cryptographic Signature |
| CVE-2025-64741 | 2025-11-13 | Zoom Workplace for Android - Improper Authorization Handling |
| CVE-2025-30669 | 2025-11-13 | Zoom Workplace Clients - Improper Certificate Validation |
| CVE-2025-30662 | 2025-11-13 | Zoom Workplace VDI Plugin macOS Universal Installer - Symlink Following |
| CVE-2025-62482 | 2025-11-13 | Zoom Workplace for Windows - Cross-site Scripting |
| CVE-2025-13118 | 2025-11-13 | macrozheng mall-swarm paySuccess improper authorization |
| CVE-2025-13119 | 2025-11-13 | Fabian Ros/SourceCodester Simple E-Banking System cross-site request forgery |
| CVE-2025-62483 | 2025-11-13 | Zoom Clients - Improper Removal of Sensitive Information |
| CVE-2025-62484 | 2025-11-13 | Zoom Workplace Clients - Inefficient Regular Expression Complexity |
| CVE-2025-64714 | 2025-11-13 | PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal |
| CVE-2025-64717 | 2025-11-13 | ZITADEL vulnerable to Account Takeover with deactivated Instance IdP |
| CVE-2025-13120 | 2025-11-13 | mruby array.c sort_cmp use after free |
| CVE-2025-64718 | 2025-11-13 | js-yaml has prototype pollution in merge (<<) |
| CVE-2025-64511 | 2025-11-13 | MaxKB has SSRF in sandbox |
| CVE-2025-64703 | 2025-11-13 | MaxKB has Information Leak in sandbox |
| CVE-2025-64525 | 2025-11-13 | Astro: URL manipulation via unsanitized headers leads to path-based middleware protections bypass, potential SSRF/cache-poisoning, CVE-2025-61925 bypass |
| CVE-2025-20341 | 2025-11-13 | Cisco Catalyst Center Privilege Escalation Vulnerability |
| CVE-2025-20349 | 2025-11-13 | Cisco DNA Center API Command Injection Vulnerability |
| CVE-2025-20353 | 2025-11-13 | Cisco Catalyst Center Cross-Site Scripting Vulnerability |
| CVE-2025-20355 | 2025-11-13 | Cisco Catalyst Center Software HTTP Open Redirect Vulnerability |
| CVE-2025-20346 | 2025-11-13 | Cisco Catalyst Center Privilege Escalation Vulnerability |
| CVE-2025-13121 | 2025-11-13 | cameasy Liketea API Endpoint StoreController.php list sql injection |
| CVE-2025-11538 | 2025-11-13 | Keycloak-server: debug default bind address |
| CVE-2025-11777 | 2025-11-13 | Cross-team channel membership access |
| CVE-2025-59480 | 2025-11-13 | Inadequate validation of SSO redirect credentials permits credential theft |
| CVE-2025-12784 | 2025-11-13 | Certain HP LaserJet Pro Printers – Potential Information Disclosure |
| CVE-2025-12785 | 2025-11-13 | Certain HP LaserJet Pro Printers – Potential Information Disclosure |
| CVE-2025-64706 | 2025-11-13 | Typebot IDOR Vulnerability: Unauthorized API Token Deletion and Exposure |
| CVE-2025-13122 | 2025-11-13 | SourceCodester Patients Waiting Area Queue Management System api_patient_checkin.php getPatientAppointment sql injection |
| CVE-2025-13123 | 2025-11-13 | AMTT Hotel Broadband Operation System get_firstdate.php sql injection |
| CVE-2025-43515 | 2025-11-13 | The issue was addressed by refusing external connections by default. This issue is fixed in Compressor 4.11.1. An unauthenticated user on the same network as a Compressor server may be... |
| CVE-2025-46367 | 2025-11-13 | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain a Detection of Error Condition Without Action vulnerability. A low privileged attacker with local access could potentially exploit this... |
| CVE-2025-46368 | 2025-11-13 | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contains an Insecure Temporary File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to... |
| CVE-2025-46362 | 2025-11-13 | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to... |
| CVE-2022-4984 | 2025-11-13 | ZenTao Biz < 6.5, Max < 3.0, & Open Source Edition 16.5/16.5beta1 SQL Injection via user-login.html |
| CVE-2025-46370 | 2025-11-13 | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain a Process Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information... |
| CVE-2025-46369 | 2025-11-13 | Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contains an Insecure Temporary File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to... |
| CVE-2025-64709 | 2025-11-13 | Typebot May Expose AWS EKS Credentials via Server Side Request Forgery in Webhook Block |
| CVE-2025-59840 | 2025-11-13 | Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable |
| CVE-2025-64726 | 2025-11-13 | External Control of System or Configuration Setting and Uncontrolled Search Path Element in sfw |
| CVE-2025-4619 | 2025-11-13 | PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Packets |
| CVE-2025-64745 | 2025-11-13 | Astro development server error page vulnerable to reflected Cross-site Scripting |
| CVE-2025-64744 | 2025-11-13 | OpenObserve Vulnerable to HTML Injection in Organization Invitation Emails |
| CVE-2025-64746 | 2025-11-13 | Directus has Improper Permission Handling on Deleted Fields |
| CVE-2025-64747 | 2025-11-13 | Directus Vulnerable to Stored Cross-site Scripting |
| CVE-2025-47913 | 2025-11-13 | Potential denial of service in golang.org/x/crypto/ssh/agent |
| CVE-2025-64748 | 2025-11-13 | Directus's conceal fields are searchable if read permissions enabled |
| CVE-2025-64749 | 2025-11-13 | Directus Vulnerable to Information Leakage in Existing Collections |
| CVE-2025-64752 | 2025-11-13 | grist-core has path to server-side requests via websocket |
| CVE-2025-64753 | 2025-11-13 | grist-core has insufficient access control in endpoints for comparisons between documents and versions |
| CVE-2025-64754 | 2025-11-13 | Jitsi Meet has DOM Redirect on Microsoft OAuth Flow |
| CVE-2025-36251 | 2025-11-13 | AIX Command Execution |
| CVE-2025-36096 | 2025-11-13 | AIX Insufficiently Protected Credentials |
| CVE-2025-36250 | 2025-11-13 | AIX Code Execution |
| CVE-2025-36236 | 2025-11-13 | AIX Path Traversal |
| CVE-2025-13130 | 2025-11-13 | Radarr Service Radarr.Console.exe default permission |
| CVE-2025-13131 | 2025-11-13 | Sonarr Service Sonarr.Console.exe default permission |
| CVE-2025-64530 | 2025-11-13 | @apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields |
| CVE-2024-42749 | 2025-11-14 | Cross Site Scripting vulnerability in Alto CMS v.1.1.13 allows a local attacker to execute arbitrary code via a crafted script. |
| CVE-2024-44630 | 2025-11-14 | Multiple parameters in register.php in PHPGurukul Student Record System 3.20 are vulnerable to SQL injection. These include: c-full, fname, mname,lname, gname, ocp, nation, mobno, email, board1, roll1, pyear1, board2, roll2,... |
| CVE-2024-44632 | 2025-11-14 | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the id and emailid parameters in password-recovery.php. |
| CVE-2024-44633 | 2025-11-14 | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the currentpassword parameter in change-password.php. |
| CVE-2024-44635 | 2025-11-14 | PHPGurukul Student Record System 3.20 is vulnerable to Cross Site Scripting (XSS) via adminname and aemailid parameters in /admin-profile.php. |
| CVE-2024-44636 | 2025-11-14 | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the adminname and aemailid parameters in /admin-profile.php. |
| CVE-2024-44639 | 2025-11-14 | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the sub1, sub2, sub3, sub4, and course-short parameters in add-subject.php. |
| CVE-2024-44640 | 2025-11-14 | PHPGurukul Student Record System 3.20 is vulnerable to SQL Injection via the course-short, course-full, and cdate parameters in add-course.php. |
| CVE-2024-55016 | 2025-11-14 | PHPGurukul Student Record Management System 3.20 is vulnerable to SQL Injection via the id and password parameters in login.php. |
| CVE-2025-54339 | 2025-11-14 | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. |
| CVE-2025-54340 | 2025-11-14 | A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There is a Broken or Risky Cryptographic Algorithm. |
| CVE-2025-54342 | 2025-11-14 | A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There is Exposure of Sensitive Information because of Incompatible Policies. |
| CVE-2025-54343 | 2025-11-14 | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. |
| CVE-2025-54345 | 2025-11-14 | An issue was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. Sensitive Information is exposed to an Unauthorized Actor. |
| CVE-2025-54346 | 2025-11-14 | A Reflected Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to hijack user’s browser, capturing... |
| CVE-2025-54348 | 2025-11-14 | A Stored Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to hijack user’s browser, capturing... |
| CVE-2025-54559 | 2025-11-14 | An issue was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote Path Traversal for loading arbitrary external content. |
| CVE-2025-54560 | 2025-11-14 | A Server-side Request Forgery vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Probing of internal infrastructure. |
| CVE-2025-54561 | 2025-11-14 | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote access to content despite lack of the correct... |
| CVE-2025-54562 | 2025-11-14 | A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Technical Information to be Disclosed through stack trace. |
| CVE-2025-63291 | 2025-11-14 | When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check... |