CVE List - 2025 / December
Showing 2301 - 2400 of 3706 CVEs for December 2025 (Page 24 of 38)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-13660 | 2025-12-12 | Guest Support <= 1.2.3 - Unauthenticated User Email Disclosure in guest_support_handler AJAX Endpoint |
| CVE-2025-12570 | 2025-12-12 | Fancy Product Designer <= 6.4.8 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload |
| CVE-2025-14356 | 2025-12-12 | Ultra Addons for Contact Form 7 <= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF |
| CVE-2025-14068 | 2025-12-12 | WPNakama <= 0.6.3 - Unauthenticated SQL Injection via 'order_by' Parameter |
| CVE-2025-12655 | 2025-12-12 | Hippoo Mobile App for WooCommerce <= 1.7.1 - Missing Authorization to Unauthenticated Limited File Write |
| CVE-2025-67727 | 2025-12-12 | Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management |
| CVE-2025-67737 | 2025-12-12 | AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE |
| CVE-2025-67728 | 2025-12-12 | Fireshare Public Uploads feature is vulnerable to OS Command Injection (RCE) |
| CVE-2025-11876 | 2025-12-12 | Mailgun Subscriptions <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-4970 | 2025-12-12 | BSK PDF Manager <= 3.7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2025-14049 | 2025-12-12 | VikRentItems Flexible Rental Management System <= 1.2.0 - Reflected Cross-Site Scripting via 'delto' Parameter |
| CVE-2025-13891 | 2025-12-12 | Image Gallery – Photo Grid & Video Gallery (Modula) <= 2.13.3 - Missing Authorization to Arbitrary Directory Listing |
| CVE-2025-10583 | 2025-12-12 | WP Fastest Cache Premium <= 1.7.4 - Missing Authorization to Authenticated (Subscriber+) Blind Server-Side Request Forgery |
| CVE-2025-14169 | 2025-12-12 | FunnelKit – Funnel Builder for WooCommerce Checkout <= 3.13.1.5 - Unauthenticated SQL Injection |
| CVE-2025-67730 | 2025-12-12 | Frappe authenticated users can execute XSS through form description fields |
| CVE-2025-67731 | 2025-12-12 | Servify Express does not enforce rate limiting when parsing JSON |
| CVE-2025-12960 | 2025-12-12 | Simple CSV Table <= 1.0.1 - Directory Traversal to Authenticated (Contributor+) Arbitrary File Read |
| CVE-2025-40829 | 2025-12-12 | A vulnerability has been identified in Simcenter Femap (All versions < V2512). The affected applications contains an uninitialized memory vulnerability while parsing specially crafted SLDPRT files. This could allow an... |
| CVE-2025-23408 | 2025-12-12 | Apache Fineract: weak password policy |
| CVE-2025-58130 | 2025-12-12 | Apache Fineract: Server Key not masked |
| CVE-2025-14074 | 2025-12-12 | PDF for Contact Form 7 + Drag and Drop Template Builder <= 6.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Duplication |
| CVE-2025-13993 | 2025-12-12 | MailerLite – Signup forms (official) <= 1.7.16 - Authenticated (Administrator+) Stored Cross-Site Scripting |
| CVE-2025-12348 | 2025-12-12 | Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution |
| CVE-2025-58137 | 2025-12-12 | Apache Fineract: IDOR via self-service API |
| CVE-2025-26866 | 2025-12-12 | Apache HugeGraph-Server: RAFT and deserialization vulnerability |
| CVE-2025-12841 | 2025-12-12 | Bookit < 2.5.1 – Unauthenticated Settings Update |
| CVE-2025-12835 | 2025-12-12 | WooMulti <= 1.7 - Subscriber+ Arbitrary File Deletion |
| CVE-2025-14065 | 2025-12-12 | Simple Bike Rental <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Booking Data Exposure |
| CVE-2025-14442 | 2025-12-12 | Secure Copy Content Protection and Content Locking <= 4.9.2 - Unauthenticated Sensitive Information Exposure via Exposed CSV Export File |
| CVE-2025-14159 | 2025-12-12 | Secure Copy Content Protection and Content Locking <= 4.9.2 - Cross-Site Request Forgery to Data Export |
| CVE-2025-12965 | 2025-12-12 | Magical Posts Display <= 1.2.54 - Authenticated (Author+) Stored Cross-Site Scripting via Magical Posts Accordion Widget |
| CVE-2025-12408 | 2025-12-12 | Events Manager <= 7.2.2.2 - Unauthenticated Information Exposure |
| CVE-2025-12407 | 2025-12-12 | Events Manager – Calendar, Bookings, Tickets, and more! <= 7.2.2.2 - Cross-Site Request Forgery to Location Deletion |
| CVE-2025-14030 | 2025-12-12 | AI Feeds <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aife_post_meta' Shortcode |
| CVE-2025-13506 | 2025-12-12 | Improper Authorization in Nebim Neyir's Nebim V3 ERP |
| CVE-2025-36755 | 2025-12-12 | CleverDisplay BlueOne unauthorized BIOS access through physical USB keyboard |
| CVE-2025-58770 | 2025-12-12 | TCG2 TPM RT Not Locked Issue |
| CVE-2025-36745 | 2025-12-12 | SolarEdge SE3680H contains Linux Kernel vulnerabilities |
| CVE-2025-36744 | 2025-12-12 | SolarEdge SE3680H - Information Exposure during Bootloader Loop |
| CVE-2025-36743 | 2025-12-12 | SolarEdge SE3680H - Exposed Debug interface |
| CVE-2025-36746 | 2025-12-12 | SolarEdge Monitoring Platform contains a XSS upon report deletion |
| CVE-2025-54981 | 2025-12-12 | Apache StreamPark: Weak Encryption Algorithm in StreamPark |
| CVE-2025-54947 | 2025-12-12 | Apache StreamPark: Use hard-coded key vulnerability |
| CVE-2025-53960 | 2025-12-12 | Apache StreamPark: Uses the user’s password as the secret key |
| CVE-2025-12843 | 2025-12-12 | Code Injection in Wave Term v0.12.2 allowing TCC Bypass |
| CVE-2025-14565 | 2025-12-12 | kidaze CourseSelectionSystem login1.php sql injection |
| CVE-2025-14566 | 2025-12-12 | kidaze CourseSelectionSystem reg.php sql injection |
| CVE-2025-13733 | 2025-12-12 | BuhoNTFS 1.3.2 - Local Privilege Escalation |
| CVE-2025-14567 | 2025-12-12 | haxxorsid Stock-Management-System employees missing authentication |
| CVE-2025-40345 | 2025-12-12 | usb: storage: sddr55: Reject out-of-bound new_pba |
| CVE-2025-14568 | 2025-12-12 | haxxorsid Stock-Management-System User.php sql injection |
| CVE-2025-14569 | 2025-12-12 | ggml-org whisper.cpp common-whisper.cpp read_audio_data use after free |
| CVE-2025-14570 | 2025-12-12 | projectworlds Advanced Library Management System view_admin.php sql injection |
| CVE-2025-14571 | 2025-12-12 | projectworlds Advanced Library Management System borrow_book.php sql injection |
| CVE-2025-8082 | 2025-12-12 | Vuetify XSS via unsanitized 'titleDateFormat' in 'VDatePicker' |
| CVE-2025-14174 | 2025-12-12 | Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML... |
| CVE-2025-14372 | 2025-12-12 | Use after free in Password Manager in Google Chrome prior to 143.0.7499.110 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity:... |
| CVE-2025-14373 | 2025-12-12 | Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2025-8083 | 2025-12-12 | Vuetify Prototype Pollution via Preset options |
| CVE-2025-14572 | 2025-12-12 | UTT 进取 512W formWebAuthGlobalConfig memory corruption |
| CVE-2025-67734 | 2025-12-12 | Frappe Authenticated Users can Execute JavaScript through its Job Form |
| CVE-2024-14010 | 2025-12-12 | Typora 1.7.4 OS Command Injection via Export PDF Preferences |
| CVE-2024-58299 | 2025-12-12 | PCMan FTP Server 2.0 Remote Buffer Overflow via 'pwd' Command |
| CVE-2024-58305 | 2025-12-12 | WonderCMS 4.3.2 Cross-Site Scripting Remote Code Execution via Module Installation |
| CVE-2024-58311 | 2025-12-12 | Dormakaba Saflok System 6000 Key Generation Cryptographic Weakness |
| CVE-2024-58314 | 2025-12-12 | Atcom 2.7.x.x Authenticated Command Injection via Web Configuration CGI |
| CVE-2025-14578 | 2025-12-12 | itsourcecode Student Management System update_account.php sql injection |
| CVE-2025-67750 | 2025-12-12 | Lightning Flow Scanner is Vulnerable to Code Injection via Unsafe Use of new Function() in APIVersion Rule |
| CVE-2024-58316 | 2025-12-12 | Online Shopping System Advanced 1.0 SQL Injection via Payment Success Parameter |
| CVE-2025-14580 | 2025-12-12 | Qualitor viewDocumento.php cross site scripting |
| CVE-2025-67634 | 2025-12-12 | Software Acquisition Guide Supplier Response Web Tool XSS |
| CVE-2025-11266 | 2025-12-12 | Grassroots DICOM (GDCM) Out-of-bounds Write |
| CVE-2025-43521 | 2025-12-12 | A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3. An app may be able to... |
| CVE-2025-43464 | 2025-12-12 | A denial-of-service issue was addressed with improved input validation. This issue is fixed in macOS Tahoe 26.1. Visiting a website may lead to an app denial-of-service. |
| CVE-2025-43517 | 2025-12-12 | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3. An app may... |
| CVE-2025-43393 | 2025-12-12 | A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to break out of its sandbox. |
| CVE-2025-43404 | 2025-12-12 | A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. |
| CVE-2025-43516 | 2025-12-12 | A session management issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3. A user with Voice Control enabled may... |
| CVE-2025-43351 | 2025-12-12 | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data. |
| CVE-2025-43388 | 2025-12-12 | An injection issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. |
| CVE-2025-43520 | 2025-12-12 | A memory corruption issue was addressed with improved memory handling. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, tvOS 26.1, macOS... |
| CVE-2025-43465 | 2025-12-12 | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access... |
| CVE-2025-46276 | 2025-12-12 | An information disclosure issue was addressed with improved privacy controls. This issue is fixed in watchOS 26.2, macOS Sonoma 14.8.3, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2,... |
| CVE-2025-43473 | 2025-12-12 | This issue was addressed with improved state management. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. |
| CVE-2025-43497 | 2025-12-12 | An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to break out of its sandbox. |
| CVE-2025-43511 | 2025-12-12 | A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, iOS 18.7.2 and iPadOS... |
| CVE-2025-43527 | 2025-12-12 | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3. An app may be able to gain root privileges. |
| CVE-2025-43320 | 2025-12-12 | The issue was addressed by adding additional logic. This issue is fixed in macOS Tahoe 26, macOS Sequoia 15.7.3. An app may be able to bypass launch constraint protections and... |
| CVE-2025-43463 | 2025-12-12 | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sonoma 14.8.3, macOS Tahoe 26.1, macOS Sequoia 15.7.3. An... |
| CVE-2025-46289 | 2025-12-12 | A logic issue was addressed with improved file handling. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3. An app may be able to access... |
| CVE-2025-43530 | 2025-12-12 | This issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.2, macOS Sonoma 14.8.3, macOS Sequoia 15.7.3, iOS 18.7.3 and iPadOS 18.7.3. An app may be... |
| CVE-2025-43402 | 2025-12-12 | The issue was addressed with improved memory handling. This issue is fixed in macOS Tahoe 26.1. An app may be able to cause unexpected system termination or corrupt process memory. |
| CVE-2025-43510 | 2025-12-12 | A memory corruption issue was addressed with improved lock state checking. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, tvOS 26.1,... |
| CVE-2025-43506 | 2025-12-12 | A logic error was addressed with improved error handling. This issue is fixed in macOS Tahoe 26.1. iCloud Private Relay may not activate when more than one user is logged... |
| CVE-2025-46285 | 2025-12-12 | An integer overflow was addressed by adopting 64-bit timestamps. This issue is fixed in watchOS 26.2, macOS Sonoma 14.8.3, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS... |
| CVE-2025-43513 | 2025-12-12 | A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3. An app may be able to... |
| CVE-2025-43381 | 2025-12-12 | This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Tahoe 26.1. A malicious app may be able to delete protected user data. |
| CVE-2025-43509 | 2025-12-12 | This issue was addressed with improved data protection. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3. An app may be able to access sensitive... |
| CVE-2025-43437 | 2025-12-12 | An information disclosure issue was addressed with improved privacy controls. This issue is fixed in iOS 26.1 and iPadOS 26.1. An app may be able to fingerprint the user. |
| CVE-2025-43532 | 2025-12-12 | A memory corruption issue was addressed with improved bounds checking. This issue is fixed in watchOS 26.2, macOS Sonoma 14.8.3, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2,... |