CVE List - 2025 / November
Showing 401 - 500 of 1779 CVEs for November 2025 (Page 5 of 18)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-12139 | 2025-11-05 | File Manager for Google Drive – Integrate Google Drive with WordPress <= 1.5.3 - Unauthenticated Sensitive Information Exposure |
| CVE-2025-11373 | 2025-11-05 | Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Safe File Type Upload |
| CVE-2025-12388 | 2025-11-05 | B Carousel Block – Responsive Image and Content Carousel <= 1.1.5 - Missing Authorization to Authenticated (Subscriber+) Server-Side Request Forgery |
| CVE-2025-12384 | 2025-11-05 | Document Embedder – Embed PDFs, Word, Excel, and Other Files <= 2.0.0 - Missing Authorization to Unauthenticated Document Manipulation |
| CVE-2025-12677 | 2025-11-05 | KiotViet Sync <= 1.8.5 - Unauthenticated Webhook Key Exposure |
| CVE-2025-12674 | 2025-11-05 | KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload |
| CVE-2025-12676 | 2025-11-05 | KiotViet Sync <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass |
| CVE-2025-12675 | 2025-11-05 | KiotViet Sync <= 1.8.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update |
| CVE-2025-10622 | 2025-11-05 | Foreman: os command injection via ct_location and fcct_location parameters |
| CVE-2025-55108 | 2025-11-05 | BMC Control-M/Agent default configuration does not enforce SSL/TLS allowing unauthorized actions and remote code execution |
| CVE-2025-58337 | 2025-11-05 | Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode for doris-mcp-server MCP Server |
| CVE-2025-11820 | 2025-11-05 | Graphina – Elementor Charts and Graphs <= 3.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Chart Widgets |
| CVE-2025-12468 | 2025-11-05 | FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Unauthenticated Sensitive Information Exposure |
| CVE-2025-11987 | 2025-11-05 | Visual Link Preview <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via visual-link-preview Shortcode |
| CVE-2025-12469 | 2025-11-05 | FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending |
| CVE-2025-12192 | 2025-11-05 | The Events Calendar <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure |
| CVE-2025-12497 | 2025-11-05 | Premium Portfolio Features for Phlox theme <= 2.3.10 - Unauthenticated Local File Inclusion via args[extra_template_path] |
| CVE-2025-11745 | 2025-11-05 | Ad Inserter <= 2.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field |
| CVE-2025-52602 | 2025-11-05 | HCL BigFix Query is affected by a sensitive information disclosure vulnerability in the WebUI Query application |
| CVE-2025-3125 | 2025-11-05 | Authenticated Arbitrary File Upload in Multiple WSO2 Products via CarbonAppUploader Admin Service Leading to Remote Code Execution |
| CVE-2025-46705 | 2025-11-05 | A denial of service vulnerability exists in the g_assert_not_reached functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML assertion response can lead to a denial of service. An... |
| CVE-2025-46784 | 2025-11-05 | A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service.... |
| CVE-2025-46404 | 2025-11-05 | A denial of service vulnerability exists in the lasso_provider_verify_saml_signature functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a denial of service. An attacker can send... |
| CVE-2025-47151 | 2025-11-05 | A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can... |
| CVE-2025-64458 | 2025-11-05 | Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows |
| CVE-2025-64459 | 2025-11-05 | Potential SQL injection via _connector keyword argument in QuerySet and Q objects |
| CVE-2025-45378 | 2025-11-05 | Dell CloudLink, versions 8.0 through 8.1.2, contain vulnerability on restricted shell. A Privileged user with known password can break into command shell of CloudLink server and gain access of shell... |
| CVE-2025-30479 | 2025-11-05 | Dell CloudLink, versions prior to 8.2, contain a vulnerability where a privileged user with known password can run command injection to gain control of system. |
| CVE-2025-20343 | 2025-11-05 | Cisco Identity Services Engine Radius Suppression Denial of Service Vulnerability |
| CVE-2025-20354 | 2025-11-05 | Cisco Unified Contact Center Express Remote Code Execution Vulnerability |
| CVE-2025-20358 | 2025-11-05 | Cisco Unified Contact Center Express Editor Authentication Bypass Vulnerability |
| CVE-2025-20374 | 2025-11-05 | Cisco Unified Contact Center Express Arbitrary File Download Vulnerability |
| CVE-2025-20376 | 2025-11-05 | Cisco Unified Contact Center Express Remote Code Execution Vulnerability |
| CVE-2025-20375 | 2025-11-05 | Cisco Unified Contact Center Express Arbitrary File Upload Vulnerability |
| CVE-2025-20377 | 2025-11-05 | Cisco Unified Intelligence Center API Information Disclosure Vulnerability |
| CVE-2025-45379 | 2025-11-05 | Dell CloudLink, versions prior to 8.2, contain a vulnerability where a privileged user with known password can run command injection from console to gain shell access of system. |
| CVE-2025-20303 | 2025-11-05 | Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the... |
| CVE-2025-20289 | 2025-11-05 | Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the... |
| CVE-2025-20305 | 2025-11-05 | A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from an affected device. This vulnerability exists because certain files... |
| CVE-2025-20304 | 2025-11-05 | Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the... |
| CVE-2025-46364 | 2025-11-05 | Dell CloudLink, versions prior to 8.1.1, contain a vulnerability where a privileged user with known password can run CLI Escape Vulnerability to gain control of system. |
| CVE-2025-46365 | 2025-11-05 | Dell CloudLink, versions prior 8.1.1, contain a Command Injection vulnerability which can be exploited by an Authenticated attacker to cause Command Injection on an affected Dell CloudLink. |
| CVE-2025-46424 | 2025-11-05 | Dell CloudLink, versions prior to 8.2, contain use of a Cryptographic Primitive with a Risky Implementation vulnerability. A high privileged attacker could potentially exploit this vulnerability leading to Denial of... |
| CVE-2025-46366 | 2025-11-05 | Dell CloudLink, versions prior to 8.1.1, contain a vulnerability where a privileged user may exploit and gain parallel privilege escalation or access to the database to obtain confidential information. |
| CVE-2025-43990 | 2025-11-05 | Dell Command Monitor (DCM), versions prior to 10.12.3.28, contains an Execution with Unnecessary Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation... |
| CVE-2025-10713 | 2025-11-05 | XML External Entity (XXE) Vulnerability in Multiple WSO2 Products Due to Improper XML Parser Configuration |
| CVE-2025-10907 | 2025-11-05 | Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution |
| CVE-2025-31954 | 2025-11-05 | HCL iAutomate is susceptible to a sensitive information disclosure |
| CVE-2025-11093 | 2025-11-05 | Arbitrary Code Execution with higher privileged users in Multiple WSO2 Products via Script Mediator Engines (GraalJS and NashornJS) |
| CVE-2025-12745 | 2025-11-05 | QuickJS quickjs.c js_array_buffer_slice buffer over-read |
| CVE-2023-43000 | 2025-11-05 | A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, Safari 16.6. Processing maliciously crafted web content may... |
| CVE-2025-43418 | 2025-11-05 | This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. An attacker with physical access to a locked... |
| CVE-2025-5770 | 2025-11-05 | Reflected Cross-Site Scripting (XSS) in Authentication Endpoints of Multiple WSO2 Products |
| CVE-2025-10853 | 2025-11-05 | Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding |
| CVE-2025-12779 | 2025-11-05 | Improper handling of the authentication token in the Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8, may expose the authentication token for DCV-based WorkSpaces to other local users on... |
| CVE-2025-55278 | 2025-11-05 | HCL DevOps Loop is susceptible to an improper authentication vulnerability |
| CVE-2025-62161 | 2025-11-05 | youki container escape via "masked path" abuse due to mount race conditions |
| CVE-2025-62596 | 2025-11-05 | youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects |
| CVE-2025-64114 | 2025-11-05 | ClipBucket v5: SQL Injection possible through ClipBucket Custom Fields plugin |
| CVE-2025-64163 | 2025-11-05 | DataEase's DB2 is vulnerable to SSRF |
| CVE-2025-27916 | 2025-11-06 | An issue was discovered in AnyDesk through 9.0.4. When the connection between two clients is established via an IP address, it is possible to manipulate the data and spoof the... |
| CVE-2025-27917 | 2025-11-06 | An issue was discovered in AnyDesk through 9.0.4. Remote Denial of Service can occur because of incorrect deserialization that results in failed memory allocation and a NULL pointer dereference. |
| CVE-2025-27918 | 2025-11-06 | An issue was discovered in AnyDesk before 9.0.0. It has an integer overflow and resultant heap-based buffer overflow via a UDP packet during processing of an Identity user image within... |
| CVE-2025-27919 | 2025-11-06 | An issue was discovered in AnyDesk through 9.0.4. A remotely connected user with the "Control my device" permission can manipulate remote AnyDesk settings and create a password for the Full... |
| CVE-2025-59392 | 2025-11-06 | On Elspec G5 devices through 1.2.2.19, a person with physical access to the device can reset the Admin password by inserting a USB drive (containing a publicly documented reset string)... |
| CVE-2025-60541 | 2025-11-06 | A Server-Side Request Forgery (SSRF) in the /api/proxy/ component of linshenkx prompt-optimizer v1.3.0 to v1.4.2 allows attackers to scan internal resources via a crafted request. |
| CVE-2025-63307 | 2025-11-06 | alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting (XSS). The application permits user-controlled upload, create, and rename of files to HTML and SVG types and serves those files inline... |
| CVE-2025-63551 | 2025-11-06 | A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in... |
| CVE-2025-63560 | 2025-11-06 | An issue in KiloView Dual Channel 4k HDMI & 3G-SDI HEVC Video Encoder Firmware v.1.20.0006 allows a remote attacker to cause a denial of service via the systemctrl API System/reFactory... |
| CVE-2025-63588 | 2025-11-06 | An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a crafted request (e.g.,... |
| CVE-2025-63589 | 2025-11-06 | A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs, search... |
| CVE-2025-64164 | 2025-11-06 | DataEase is vulnerable to Oracle JNDI Injection |
| CVE-2025-64171 | 2025-11-06 | MARIN3R: Cross-Namespace Vulnerability in the Operator |
| CVE-2025-10683 | 2025-11-06 | Easy Email Subscription <= 1.3 - Authenticated (Admin+) SQL Injection via uid |
| CVE-2025-10691 | 2025-11-06 | Easy Email Subscription <= 1.3 - Cross-Site Request Forgery to Arbitrary Subscriber Deletion |
| CVE-2025-61994 | 2025-11-06 | Cross-site scripting vulnerability exists in GROWI prior to v7.2.10. If a malicious user creates a page containing crafted contents, an arbitrary script may be executed on the web browser of... |
| CVE-2025-12563 | 2025-11-06 | Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Incorrect Authorization to Video File Upload |
| CVE-2025-11271 | 2025-11-06 | Easy Digital Download <= 3.5.2 - Insufficient Verification to Order Manipulation |
| CVE-2025-12560 | 2025-11-06 | Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Authenticated (Subscriber+) Blind Server-Side Request Forgery via post_url |
| CVE-2025-9338 | 2025-11-06 | A improper restriction of operations within the bounds of a memory buffer exists in AsIO3.sys driver. This vulnerability can be triggered by manually executing a specially crafted process, potentially leading... |
| CVE-2025-12471 | 2025-11-06 | Hubbub Lite <= 1.36.0 - Reflected Cross-Site Scripting |
| CVE-2025-10259 | 2025-11-06 | Denial-of-Service(DoS) Vulnerability in TCP Communication Function on MELSEC iQ-F Series CPU module |
| CVE-2025-12360 | 2025-11-06 | Better Find and Replace <= 1.7.7 - Missing Authorization |
| CVE-2025-11268 | 2025-11-06 | Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution |
| CVE-2025-36054 | 2025-11-06 | Cross-site scripting vulnerability affect IBM Business Automation Workflow Process Federation Server - |
| CVE-2025-37735 | 2025-11-06 | Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases,... |
| CVE-2025-10955 | 2025-11-06 | HTML Injection in Netcad Software's Netigma |
| CVE-2025-11956 | 2025-11-06 | XSS in Proliz's OBS |
| CVE-2025-12556 | 2025-11-06 | IDIS ICM Viewer Argument Injection |
| CVE-2025-22288 | 2025-11-06 | WordPress Smush Image Compression and Optimization plugin <= 3.17.0 - Directory Traversal vulnerability |
| CVE-2025-28953 | 2025-11-06 | WordPress smart SEO plugin <= 4.0 - SQL Injection Vulnerability |
| CVE-2025-31029 | 2025-11-06 | WordPress replyMail plugin <= 1.2.0 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2025-32222 | 2025-11-06 | WordPress Widget Logic <= 6.0.5 - Remote Code Execution (RCE) Vulnerability |
| CVE-2025-39463 | 2025-11-06 | WordPress Dessau theme < 1.9 - Local File Inclusion vulnerability |
| CVE-2025-39465 | 2025-11-06 | WordPress Advanced Google Maps plugin <= 5.8.4 - Broken Access Control vulnerability |
| CVE-2025-39466 | 2025-11-06 | WordPress Dør theme <= 2.4 - Local File Inclusion Vulnerability |
| CVE-2025-39467 | 2025-11-06 | WordPress Wanderland theme <= 1.7.1 - Local File Inclusion Vulnerability |
| CVE-2025-39468 | 2025-11-06 | WordPress Modal Survey plugin <= 2.0.2.0.1 - Local File Inclusion vulnerability |
| CVE-2025-47588 | 2025-11-06 | WordPress Dynamic Pricing With Discount Rules for WooCommerce plugin <= 4.5.9 - Arbitrary Code Execution vulnerability |
| CVE-2025-48077 | 2025-11-06 | WordPress Block Country plugin <= 1.0 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability |