CVE List - 2025 / December
Showing 2401 - 2500 of 3706 CVEs for December 2025 (Page 25 of 38)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-43461 | 2025-12-12 | This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data. |
| CVE-2025-43494 | 2025-12-12 | A mail header parsing issue was addressed with improved checks. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, macOS Sonoma 14.8.2,... |
| CVE-2025-46287 | 2025-12-12 | An inconsistent user interface issue was addressed with improved state management. This issue is fixed in watchOS 26.2, macOS Sonoma 14.8.3, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS... |
| CVE-2025-43482 | 2025-12-12 | The issue was addressed with improved input validation. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3. An app may be able to cause a... |
| CVE-2025-43416 | 2025-12-12 | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3. An app may be able to access protected... |
| CVE-2025-43512 | 2025-12-12 | A logic issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.2, macOS Sonoma 14.8.3, macOS Sequoia 15.7.3, iOS 18.7.3 and iPadOS 18.7.3. An app may... |
| CVE-2025-43519 | 2025-12-12 | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3. An app may be able to access sensitive... |
| CVE-2025-43466 | 2025-12-12 | An injection issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. |
| CVE-2025-43523 | 2025-12-12 | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3. An app may be able to access sensitive user data. |
| CVE-2025-43470 | 2025-12-12 | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. A standard user may be able to view files made from a disk image... |
| CVE-2025-43542 | 2025-12-12 | This issue was addressed with improved state management. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3, visionOS... |
| CVE-2025-43539 | 2025-12-12 | The issue was addressed with improved bounds checks. This issue is fixed in watchOS 26.2, macOS Sonoma 14.8.3, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe... |
| CVE-2025-43538 | 2025-12-12 | A logging issue was addressed with improved data redaction. This issue is fixed in watchOS 26.2, macOS Sonoma 14.8.3, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS... |
| CVE-2025-43410 | 2025-12-12 | The issue was addressed with improved handling of caches. This issue is fixed in macOS Sequoia 15.7.2, macOS Tahoe 26.2, macOS Sonoma 14.8.2. An attacker with physical access may be... |
| CVE-2025-43406 | 2025-12-12 | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. |
| CVE-2025-43471 | 2025-12-12 | The issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. |
| CVE-2025-43467 | 2025-12-12 | This issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.1. An app may be able to gain root privileges. |
| CVE-2025-43522 | 2025-12-12 | A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3. An app may be able to... |
| CVE-2025-43518 | 2025-12-12 | A logic issue was addressed with improved checks. This issue is fixed in watchOS 26.2, macOS Sonoma 14.8.3, macOS Tahoe 26.2, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3. An... |
| CVE-2025-14611 | 2025-12-12 | Gladinet CentreStack and TrioFox Hard Coded AES Keys |
| CVE-2025-14582 | 2025-12-12 | campcodes Online Student Enrollment System index.php unrestricted upload |
| CVE-2025-14583 | 2025-12-12 | campcodes Online Student Enrollment System register.php unrestricted upload |
| CVE-2025-67721 | 2025-12-12 | Aircompressor's Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer |
| CVE-2025-67749 | 2025-12-12 | PCSX2 has an Out-of-bounds Read due to unchecked offset and size passed to memcpy |
| CVE-2025-14584 | 2025-12-12 | itsourcecode COVID Tracking System Admin Login login.php sql injection |
| CVE-2025-14585 | 2025-12-12 | itsourcecode COVID Tracking System page sql injection |
| CVE-2025-54369 | 2025-12-12 | Node-SAML SAML Authentication Bypass |
| CVE-2025-13970 | 2025-12-13 | OpenPLC_V3 Cross-Site Request Forgery |
| CVE-2025-13403 | 2025-12-13 | Employee Spotlight – Team Member Showcase & Meet the Team Plugin <= 5.1.3 - Missing Authorization to Authenticated (Subscriber+) Tracking Opt-In/Opt-Out Modification |
| CVE-2025-14477 | 2025-12-13 | 404 Solution <= 3.1.0 - Authenticated (Admin+) SQL Injection via 'filterText' Parameter |
| CVE-2025-14581 | 2025-12-13 | HAPPY – Helpdesk Support Ticket System <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Reply |
| CVE-2025-12512 | 2025-12-13 | GenerateBlocks <= 2.1.2 - Authenticated (Contributor+) Information Exposure via Metadata |
| CVE-2025-14056 | 2025-12-13 | Custom Post Type UI <= 1.18.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'label' Import Parameter |
| CVE-2025-14278 | 2025-12-13 | HT Slider for Elementor <= 1.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-13089 | 2025-12-13 | WP Directory Kit <= 1.4.7 - Unauthenticated SQL Injection |
| CVE-2025-14050 | 2025-12-13 | Design Import/Export <= 2.2 - Authenticated (Administrator+) SQL Injection via XML File Import |
| CVE-2025-14454 | 2025-12-13 | Image Slider by Ays- Responsive Slider and Carousel <= 2.7.0 - Cross-Site Request Forgery to Arbitrary Slider Deletion |
| CVE-2025-11970 | 2025-12-13 | Emplibot – AI Content Writer with Keyword Research, Infographics, and Linking | SEO Optimized | Fully Automated <= 1.0.9 - Authenticated (Admin+) Server-Side Request Forgery |
| CVE-2025-14395 | 2025-12-13 | Popover Windows <= 1.2 - Missing Authorization to Authenticated (Subscriber+) Popover Configuration Update via AJAX Actions |
| CVE-2025-9873 | 2025-12-13 | a3 Lazy Load <= 2.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-14366 | 2025-12-13 | Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Product Creation |
| CVE-2025-14378 | 2025-12-13 | Quick Testimonials <= 2.1 - Authenticated (Admin+) Stored Cross-Site Scripting |
| CVE-2025-14540 | 2025-12-13 | Userback <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Plugin's Configuration Exposure |
| CVE-2025-14397 | 2025-12-13 | Postem Ipsum <= 3.0.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation in postem_ipsum_generate_users |
| CVE-2025-14447 | 2025-12-13 | AnnunciFunebri Impresa <= 4.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Deletion |
| CVE-2025-13094 | 2025-12-13 | WP3D Model Import Viewer <= 1.0.7 - Authenticated (Contributor+) Arbitrary File Upload |
| CVE-2025-11376 | 2025-12-13 | Colibri Page Builder <= 1.0.335 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-14462 | 2025-12-13 | Lucky Draw Contests <= 4.2 - Cross-Site Request Forgery to Plugin Settings Update |
| CVE-2025-14475 | 2025-12-13 | Extensive VC Addons for WPBakery page builder <= 1.9.1 - Unauthenticated Local File Inclusion via 'shortcode_name' Parameter |
| CVE-2025-14476 | 2025-12-13 | Doubly <= 1.0.46 - Authenticated (Subscriber+) PHP Object Injection via ZIP File Import |
| CVE-2025-13705 | 2025-12-13 | Custom Frames <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Parameter |
| CVE-2025-14288 | 2025-12-13 | Gallery Blocks with Lightbox <= 3.3.0 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Modification |
| CVE-2025-9218 | 2025-12-13 | rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function |
| CVE-2025-14451 | 2025-12-13 | Solutions Ad Manager <= 1.0.0 - Unauthenticated Open Redirect via 'sam-redirect-to' Parameter |
| CVE-2025-13077 | 2025-12-13 | افزونه پیامک ووکامرس فوق حرفه ای (جدید) payamito sms woocommerce <= 1.3.5 - Unauthenticated Time-Based Blind SQL Injection |
| CVE-2025-13093 | 2025-12-13 | Devs CRM – Manage tasks, attendance and teams all together <= 1.1.8 - Missing Authorization to Unauthenticated Lead Tag Update |
| CVE-2025-12076 | 2025-12-13 | Social Media Auto Publish <= 3.6.5 - Reflected Cross-Site Scripting via PostMessage |
| CVE-2025-7058 | 2025-12-13 | Kingcabs <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via progressbarLayout Parameter |
| CVE-2025-14367 | 2025-12-13 | Easy Theme Options <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Import |
| CVE-2025-8617 | 2025-12-13 | YITH WooCommerce Quick View <= 2.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via yith_quick_view Shortcode |
| CVE-2025-14539 | 2025-12-13 | Shortcode Loader <= 1.0 - Unauthenticated Arbitrary Shortcode Execution via 'code' Parameter |
| CVE-2025-14508 | 2025-12-13 | MediaCommander – Bring Folders to Media, Posts, and Pages <= 2.3.1 - Missing Authorization to Authenticated (Author+) Media Folder Deletion |
| CVE-2025-14440 | 2025-12-13 | JAY Login & Register <= 2.4.01 - Authentication Bypass via Cookie |
| CVE-2025-11707 | 2025-12-13 | Login Lockdown & Protection <= 2.14 - IP Block Bypass |
| CVE-2025-11164 | 2025-12-13 | Mavix Education <= 1.0 - Missing Authorization to Authenticated (Subscriber+) 'Creativ Demo Importer' Plugin Activation |
| CVE-2025-12077 | 2025-12-13 | WP to LinkedIn Auto Publish <= 1.9.8 - Reflected Cross-Site Scripting via PostMessage |
| CVE-2025-14365 | 2025-12-13 | Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Category Deletion |
| CVE-2025-14394 | 2025-12-13 | Popover Windows <= 1.2 - Cross-Site Request Forgery to Arbitrary Popover Configuration Update |
| CVE-2025-13092 | 2025-12-13 | Devs CRM – Manage tasks, attendance and teams all together <= 1.1.8 - Unauthenticated Information Expsoure |
| CVE-2025-12109 | 2025-12-13 | Header Footer Script Adder – Insert Code in Header, Body & Footer <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-9488 | 2025-12-13 | Redux Framework <= 4.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via data Parameter |
| CVE-2025-11693 | 2025-12-13 | Export WP Page to Static HTML & PDF <= 4.3.4 - Unauthenticated Cookie Exposure via Log File |
| CVE-2025-14446 | 2025-12-13 | Popup Builder <= 1.1.37 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Reset |
| CVE-2025-12362 | 2025-12-13 | myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program <= 2.9.7 - Missing Authorization to Unauthenticated Withdrawal Request Approval |
| CVE-2025-9116 | 2025-12-13 | WPS Visitor Counter Plugin <= 1.4.8 - Reflected XSS via $_SERVER['REQUEST_URI'] |
| CVE-2025-14586 | 2025-12-13 | TOTOLINK X5000R cstecgi.cgi snprintf os command injection |
| CVE-2025-10738 | 2025-12-13 | URL Shortener Plugin For WordPress <= 3.0.7 - Unauthenticated SQL Injection |
| CVE-2025-9207 | 2025-12-13 | TI WooCommerce Wishlist <= 2.10.0 - Unauthenticated HTML Injection |
| CVE-2025-8779 | 2025-12-13 | All-in-One Addons for Elementor – WidgetKit <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team and Countdown Widgets |
| CVE-2025-10289 | 2025-12-13 | Filter & Grids <= 3.2.0 - Unauthenticated SQL Injection |
| CVE-2025-36751 | 2025-12-13 | Missing encryption on Local Configuration Interface or Cloud Endpoint Communication - Growatt MIC3300TL-X and ShineLan-X |
| CVE-2025-36753 | 2025-12-13 | SWD Interface Open on Growatt ShineLan-X |
| CVE-2025-36750 | 2025-12-13 | Stored cross site scripting (XSS) vulnerability in Growatt ShineLan-X |
| CVE-2025-36748 | 2025-12-13 | Stored Cross-Site Scripting (XSS) vulnerability in Growatt ShineLan-X |
| CVE-2025-36754 | 2025-12-13 | Authentication bypass on web interface |
| CVE-2025-36752 | 2025-12-13 | Undocumented backup Account and No Password Configuration Capability |
| CVE-2025-36747 | 2025-12-13 | Hardcoded FTP Credentials within the firmware |
| CVE-2025-7960 | 2025-12-13 | King Addons for Elementor <= 51.1.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets |
| CVE-2025-0969 | 2025-12-13 | Brizy – Page Builder <= 2.7.16 - Authenticated (Contributor+) Sensitive Information Exposure via get_users Function |
| CVE-2025-8195 | 2025-12-13 | JetWidgets For Elementor <= 1.0.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison and Subscribe Widgets |
| CVE-2025-8199 | 2025-12-13 | MarqueeAddons <= 2.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial Marquee Widget |
| CVE-2025-8687 | 2025-12-13 | Enter Addons <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown and Image Comparison Widgets |
| CVE-2025-9856 | 2025-12-13 | Popup Builder – Create highly converting, mobile friendly marketing popups. <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-8780 | 2025-12-13 | Livemesh SiteOrigin Widgets <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Hero Header and Pricing Table Widgets |
| CVE-2025-14587 | 2025-12-13 | itsourcecode Online Pet Shop Management System available.php sql injection |
| CVE-2025-14542 | 2025-12-13 | Command execution in python-utcp allows attackers to achieve remote code execution when fetching a remote Manual from a malicious endpoint |
| CVE-2025-14588 | 2025-12-13 | itsourcecode Student Management System update_program.php sql injection |
| CVE-2025-14589 | 2025-12-13 | code-projects Prison Management System search.php sql injection |
| CVE-2025-14590 | 2025-12-13 | code-projects Prison Management System search1.php sql injection |
| CVE-2025-14606 | 2025-12-13 | tiny-rdm Tiny RDM Pickle Decoding pickle_convert.go pickle.loads deserialization |