CVE List - 2025 / November
Showing 301 - 400 of 1779 CVEs for November 2025 (Page 4 of 18)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-20741 | 2025-11-04 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor... |
| CVE-2025-20748 | 2025-11-04 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor... |
| CVE-2025-20749 | 2025-11-04 | In charger, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already... |
| CVE-2025-11690 | 2025-11-04 | IDOR vulnerability in the CFMOTO RIDE API |
| CVE-2025-12493 | 2025-11-04 | ShopLentor <= 3.2.5 - Unauthenticated Local PHP File Inclusion via 'load_template' |
| CVE-2025-12045 | 2025-11-04 | Orbit Fox Companion <= 3.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy |
| CVE-2025-41111 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41112 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41113 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41114 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41335 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41336 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41337 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41338 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41339 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41340 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41341 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41342 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41343 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41344 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-41345 | 2025-11-04 | Missing Authorization vulnerability in CanalDenuncia.app |
| CVE-2025-12695 | 2025-11-04 | Insecure configuration in DSPy lead to arbitrary file read when running untrusted code inside the sandbox |
| CVE-2025-12682 | 2025-11-04 | Easy Upload Files During Checkout <= 2.9.8 - Unauthenticated Arbitrary JavaScript File Upload |
| CVE-2025-12184 | 2025-11-04 | MeetingList <= 0.11 - Authenticated (Admin+) Stored Cross-Site Scripting |
| CVE-2025-61945 | 2025-11-04 | Missing Authentication for Critical Function in Radiometrics VizAir |
| CVE-2025-54863 | 2025-11-04 | Insufficiently Protected Credentials in Radiometrics VizAir |
| CVE-2025-61956 | 2025-11-04 | Missing Authentication for Critical Function in Radiometrics VizAir |
| CVE-2025-10875 | 2025-11-04 | Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Code Injection.This issue affects Mulesoft Anypoint Code Builder: before 1.11.6. |
| CVE-2025-64318 | 2025-11-04 | Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: before 1.12.1. |
| CVE-2025-64319 | 2025-11-04 | Incorrect Permission Assignment for Critical Resource vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: before 1.12.1 |
| CVE-2025-64320 | 2025-11-04 | Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Code Injection.This issue affects Agentforce Vibes Extension: before 3.2.0. |
| CVE-2025-64321 | 2025-11-04 | Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0. |
| CVE-2025-64322 | 2025-11-04 | Incorrect Permission Assignment for Critical Resource vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0. |
| CVE-2025-12108 | 2025-11-04 | Missing Authentication for Critical Function Survision License Plate Recognition Camera |
| CVE-2025-33176 | 2025-11-04 | NVIDIA RunAI for all platforms contains a vulnerability where a user could cause an improper restriction of communications channels on an adjacent network. A successful exploit of this vulnerability might... |
| CVE-2025-23358 | 2025-11-04 | NVIDIA NVApp for Windows contains a vulnerability in the installer, where a local attacker can cause a search path element issue. A successful exploit of this vulnerability might lead to... |
| CVE-2025-32786 | 2025-11-04 | GLPI Inventory Plugin is Vulnerable to Unauthenticated SQL Injection |
| CVE-2025-47776 | 2025-11-04 | MantisBT: Authentication bypass for some passwords due to PHP type juggling |
| CVE-2025-48076 | 2025-11-04 | Galette is vulnerable to Cross-site Scripting |
| CVE-2025-48884 | 2025-11-04 | Galette is vulnerable to XSS through Document Type |
| CVE-2025-55155 | 2025-11-04 | MantisBT: Authentication bypass for some passwords due to PHP type juggling |
| CVE-2025-62369 | 2025-11-04 | Xibo CMS: Remote Code Execution through module templates |
| CVE-2025-62507 | 2025-11-04 | Redis: Bug in XACKDEL may lead to stack overflow and potential RCE |
| CVE-2025-62520 | 2025-11-04 | MantisBT unauthorized disclosure of private project column configuration |
| CVE-2025-54496 | 2025-11-04 | Fuji Electric Monitouch V-SFT-6 Heap-based Buffer Overflow |
| CVE-2025-62715 | 2025-11-04 | ClipBucket v5: Stored XSS via Collection Tags |
| CVE-2025-54526 | 2025-11-04 | Fuji Electric Monitouch V-SFT-6 Stack-based Buffer Overflow |
| CVE-2025-62719 | 2025-11-04 | LinkAce: Limited Server-Side Request Forgery (SSRF) in Keyword Fetching Functionality |
| CVE-2025-62720 | 2025-11-04 | LinkAce: Data Exfiltration via Export Functions Allow Access to All Users' Private Links |
| CVE-2025-62721 | 2025-11-04 | LinkAce: Authorization Bypass Allows Unauthorized Access to All Private Links, Lists, and Tags |
| CVE-2025-62722 | 2025-11-04 | LinkAce: Stored XSS Vulnerability in Link Title Field Through Social Media Sharing Feature |
| CVE-2025-59595 | 2025-11-04 | CVE-2025-59595 is an internally discovered denial of service vulnerability in versions of Secure Access prior to 14.12. An attacker can send a specially crafted packet to a server in a... |
| CVE-2025-64106 | 2025-11-04 | Cursor: Speedbump Modal Bypass in MCP Server Deep-Link |
| CVE-2025-59596 | 2025-11-04 | CVE-2025-59596 is a denial-of-service vulnerability in Secure Access Windows client versions 12.0 to 14.10 that is addressed in version 14.12. If a local networking policy is active, attackers on an... |
| CVE-2025-64107 | 2025-11-04 | Cursor is Vulnerable to Path Manipulation Using Backslashes on Windows |
| CVE-2025-64108 | 2025-11-04 | Cursor's Sensitive File Modification can Lead to NTFS Path Quirks |
| CVE-2025-64109 | 2025-11-04 | Cursor CLI Beta: Command Injection via Untrusted MCP Configuration |
| CVE-2025-64110 | 2025-11-04 | Cursor: Authentication Bypass Possible via New Cursorignore Write |
| CVE-2025-55341 | 2025-11-05 | Cross Site Scripting vulnerability in Quipux 4.0.1 through e1774ac allows anexos/anexos_nuevo.php asocImgRad. |
| CVE-2025-55342 | 2025-11-05 | Quipux 4.0.1 through e1774ac allows enumeration of usernames, and accessing the Ecuadorean identification number for all registered users via the Administracion/usuarios/cambiar_password_olvido_validar.php txt_login parameter. |
| CVE-2025-55343 | 2025-11-05 | Quipux 4.0.1 through e1774ac allows authenticated users to conduct SQL injection attacks via busqueda/busqueda.php txt_depe_codi, busqueda/busqueda.php txt_usua_codi, anexos_lista.php radi_temp, Administracion/listas/formArea_ajax.php codDepe, Administracion/listas/formDepeHijo_ajax.php codDepe, Administracion/listas/formDepePadre_ajax.php codInst, asociar_documentos/asociar_borrar_referencia.php radi_nume, asociar_documentos/asociar_documento_buscar_query.php radi_nume, asociar_documentos/as... |
| CVE-2025-56231 | 2025-11-05 | Tonec Internet Download Manager 6.42.41.1 and earlier suffers from Missing SSL Certificate Validation, which allows attackers to bypass update protections. |
| CVE-2025-56232 | 2025-11-05 | GOG Galaxy 2.0.0.2 suffers from Missing SSL Certificate Validation. An attacker who controls the local network, DNS, or a proxy can perform a man-in-the-middle (MitM) attack to intercept update requests... |
| CVE-2025-57130 | 2025-11-05 | An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges. By sending a specially crafted HTTP... |
| CVE-2025-57244 | 2025-11-05 | OpenKM Community Edition 6.3.12 is vulnerable to stored cross-site scripting (XSS) in the user account creation interface. The Name field accepts script tags and the Email field is vulnerable when... |
| CVE-2025-59716 | 2025-11-05 | ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address... |
| CVE-2025-60753 | 2025-11-05 | An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead... |
| CVE-2025-60784 | 2025-11-05 | A vulnerability in the XiaozhangBang Voluntary Like System V8.8 allows remote attackers to manipulate the zhekou parameter in the /topfirst.php Pay module, enabling unauthorized discounts. By sending a crafted HTTP... |
| CVE-2025-61084 | 2025-11-05 | MDaemon Mail Server 23.5.2 validates SPF, DKIM, and DMARC using the email enclosed in angle brackets (<>) in the From: header of SMTP DATA. An attacker can craft a From:... |
| CVE-2025-61304 | 2025-11-05 | OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address. |
| CVE-2025-63248 | 2025-11-05 | DWSurvey 6.14.0 is vulnerable to Incorrect Access Control. When deleting a questionnaire, replacing the questionnaire ID with the ID of another questionnaire can enable the deletion of other questionnaires. |
| CVE-2025-63334 | 2025-11-05 | PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains an unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in the opacityValue POST parameter before... |
| CVE-2025-63416 | 2025-11-05 | ** exclusively-hosted-service ** A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated low-privileged attackers to execute arbitrary JavaScript in the context of... |
| CVE-2025-63417 | 2025-11-05 | A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated attackers to inject arbitrary web scripts or HTML via the chat message input... |
| CVE-2025-63418 | 2025-11-05 | A DOM-based Cross-Site Scripting (XSS) vulnerability in the SelfBest platform 2023.3 allows attackers to execute arbitrary JavaScript in the context of a logged-in user's session by injecting payloads via the... |
| CVE-2025-63585 | 2025-11-05 | OSSN (Open Source Social Network) 8.6 is vulnerable to SQL Injection in /action/rtcomments/status via the timestamp parameter. |
| CVE-2025-63601 | 2025-11-05 | Snipe-IT before version 8.3.3 contains a remote code execution vulnerability that allows an authenticated attacker to upload a malicious backup file containing arbitrary files and execute system commands. |
| CVE-2025-12735 | 2025-11-05 | CVE-2025-12735 |
| CVE-2025-8871 | 2025-11-05 | Everest Forms (Pro) <= 1.9.7 - Unauthenticated PHP Object Injection via PHAR Deserialization in Form Signature |
| CVE-2025-12582 | 2025-11-05 | Features <= 0.0.2 - Missing Authorization to Authenticated (Subscriber+) Option Reset |
| CVE-2025-12580 | 2025-11-05 | SMS for WordPress <= 1.1.8 - Reflected Cross-Site Scripting |
| CVE-2025-11835 | 2025-11-05 | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.16.4 - Missing Authorization to Unauthenticated Arbitrary Member Subscription Auto Renewal |
| CVE-2025-11162 | 2025-11-05 | Spectra <= 2.19.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom CSS |
| CVE-2025-12197 | 2025-11-05 | The Events Calendar 6.15.1.1 - 6.15.9 - Unauthenticated SQL Injection via s |
| CVE-2025-11749 | 2025-11-05 | AI Engine <= 3.1.3 - Unauthenticated Sensitive Information Exposure to Privilege Escalation |
| CVE-2025-21071 | 2025-11-05 | Out-of-bounds write in handling opcode in fingerprint trustlet prior to SMR Nov-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. |
| CVE-2025-21073 | 2025-11-05 | Insecure default configuration in USB connection mode prior to SMR Nov-2025 Release 1 allows privileged physical attackers to access user data. User interaction is required for triggering this vulnerability. |
| CVE-2025-21074 | 2025-11-05 | Out-of-bounds read in libimagecodec.quram.so prior to SMR Nov-2025 Release 1 allows remote attackers to access out-of-bounds memory. |
| CVE-2025-21075 | 2025-11-05 | Out-of-bounds write in libimagecodec.quram.so prior to SMR Nov-2025 Release 1 allows remote attackers to access out-of-bounds memory. |
| CVE-2025-21076 | 2025-11-05 | Improper handling of insufficient permissions or privileges in Samsung Account prior to version 15.5.00.18 allows local attackers to access data in Samsung Account. User interaction is required for triggering this... |
| CVE-2025-21077 | 2025-11-05 | Improper input validation in Samsung Email prior to version 6.2.06.0 allows local attackers to launch arbitrary activity with Samsung Email privilege. |
| CVE-2025-21078 | 2025-11-05 | Use of insufficiently random value of secretKey in Smart Switch prior to version 3.7.68.6 allows adjacent attackers to access backup data from applications. |
| CVE-2025-21079 | 2025-11-05 | Improper input validation in Samsung Members prior to version 5.5.01.3 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for... |
| CVE-2025-10567 | 2025-11-05 | FunnelKit < 3.12.0.1 - Reflected XSS |
| CVE-2025-10873 | 2025-11-05 | Elementinvader Addons for Elementor < 1.4.1 – Unauthenticated Arbitrary Email Sending |
| CVE-2025-11072 | 2025-11-05 | Download Counter Button <= 1.8.6.7 - Unauthenticated Arbitrary File Download |
| CVE-2025-6027 | 2025-11-05 | Ace User Management <= 2.0.3 - Subscriber+ Authentication Bypass via Password Rest |
| CVE-2025-64151 | 2025-11-05 | Multiple Roboticsware products provided by Roboticsware PTE. LTD. register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may... |
| CVE-2025-62225 | 2025-11-05 | Optical Disc Archive Software provided by Sony Corporation registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system... |
| CVE-2025-11917 | 2025-11-05 | WPeMatico RSS Feed Fetcher <= 2.8.11 - Authenticated (Subscriber+) Server-Side Request Forgery via wpematico_test_feed |