CVE List - 2025 / December
Showing 2601 - 2700 of 3706 CVEs for December 2025 (Page 27 of 38)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-14549 | 2025-12-15 | OMR on Z processors Exposing a possible buffer over-read problem |
| CVE-2025-14712 | 2025-12-15 | JHENG GAO|Student Learning Assessment and Support System - Exposure of Sensitive Information |
| CVE-2025-11363 | 2025-12-15 | Royal Elementor Addons and Templates < 1.7.1037 - Unauthenticated Media File Upload |
| CVE-2025-12684 | 2025-12-15 | URL Shortify < 1.11.3 - Reflected XSS |
| CVE-2025-13355 | 2025-12-15 | URL Shortify < 1.11.4 - Reflected XSS |
| CVE-2025-14707 | 2025-12-15 | Shiguangwu sgwbox N3 DOCKER Feature http_eshell_server command injection |
| CVE-2025-14708 | 2025-12-15 | Shiguangwu sgwbox N3 WIREDCFGGET http_eshell_server buffer overflow |
| CVE-2025-14019 | 2025-12-15 | LINE client for Android versions from 13.8 to 15.5 is vulnerable to UI spoofing in the in-app browser where a specific layout could obscure the full-screen warning prompt, potentially allowing... |
| CVE-2025-14020 | 2025-12-15 | LINE client for Android versions prior to 14.20 contains a UI spoofing vulnerability in the in-app browser where the full-screen security Toast notification is not properly re-displayed when users return... |
| CVE-2025-14021 | 2025-12-15 | The in-app browser in LINE client for iOS versions prior to 14.14 is vulnerable to address bar spoofing, which could allow attackers to execute malicious JavaScript within iframes while displaying... |
| CVE-2025-14022 | 2025-12-15 | LINE client for iOS prior to 15.4 allows man-in-the-middle attacks due to improper SSL/TLS certificate validation in an integrated financial SDK. The SDK interfered with the application's network processing, causing... |
| CVE-2025-14023 | 2025-12-15 | LINE client for iOS prior to 15.19 allows UI spoofing due to inconsistencies between the navigation state and the in-app browser's user interface, which could create confusion about the trust... |
| CVE-2025-14709 | 2025-12-15 | Shiguangwu sgwbox N3 WIRELESSCFGGET http_eshell_server buffer overflow |
| CVE-2025-14710 | 2025-12-15 | FantasticLBP Hotels Server OrderList.php sql injection |
| CVE-2025-14711 | 2025-12-15 | FantasticLBP Hotels Server hotelList.php sql injection |
| CVE-2025-37732 | 2025-12-15 | Kibana Cross-site Scripting via the Integration Package Upload Functionality |
| CVE-2025-14714 | 2025-12-15 | TCC Bypass via Inherited Permissions in Bundled Interpreter |
| CVE-2025-37731 | 2025-12-15 | Elasticsearch Improper Authentication |
| CVE-2025-11670 | 2025-12-15 | NTLM Hash Exposure Vulnerability |
| CVE-2025-66388 | 2025-12-15 | Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI |
| CVE-2025-13608 | 2025-12-15 | CC Child Pages <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'child_pages' Shortcode |
| CVE-2025-13367 | 2025-12-15 | User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin <= 4.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-14003 | 2025-12-15 | Image Gallery – Photo Grid & Video Gallery <= 2.13.3 - Missing Authorization to Authenticated (Author+) Arbitrary Gallery Modification |
| CVE-2025-13610 | 2025-12-15 | RegistrationMagic <= 6.0.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'RM_Forms' Shortcode |
| CVE-2025-12900 | 2025-12-15 | FileBird – WordPress Media Library Folders & File Manager <= 6.5.1 - Missing Authorization to Authenticated (Author+) Global Folders Tampering |
| CVE-2025-14383 | 2025-12-15 | Booking Calendar <= 10.14.8 - Unauthenticated SQL Injection via dates_to_check |
| CVE-2025-13728 | 2025-12-15 | FluentAuth - Auth Security Plugin <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'fluent_auth_reset_password' Shortcode |
| CVE-2025-13950 | 2025-12-15 | OneSignal – Web Push Notifications <= 3.6.1 - Missing Authorization to Unauthenticated Plugin Settings Update |
| CVE-2025-14156 | 2025-12-15 | Fox LMS – WordPress LMS Plugin 1.0.4.7 - 1.0.5.1 - Unauthenticated Privilege Escalation via 'createOrder' |
| CVE-2025-34179 | 2025-12-15 | NetSupport Manager < 14.12.0001 Unauthenticated SQLi Local File Disclosure |
| CVE-2025-34180 | 2025-12-15 | NetSupport Manager < 14.12.0001 Gateway Key Reversible Encoding Credential Recovery |
| CVE-2025-34181 | 2025-12-15 | NetSupport Manager < 14.12.0001 Authenticated Path Traversal Arbitrary File Write RCE |
| CVE-2025-34411 | 2025-12-15 | Convercent Whistleblowing Platform Unauthenticated GetLegalEntity Endpoint Enables Customer Enumeration |
| CVE-2025-34412 | 2025-12-15 | Convercent Whistleblowing Platform Protection Mechanism Failure Insecure Default Browser & Session Controls |
| CVE-2025-13823 | 2025-12-15 | Micro820®, Micro850®, Micro870® – Specialized Fuzzing Vulnerabilities |
| CVE-2025-13824 | 2025-12-15 | Micro820®, Micro850®, Micro870® – Specialized Fuzzing Vulnerabilities |
| CVE-2025-14387 | 2025-12-15 | LearnPress – WordPress LMS Plugin <= 4.3.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via get_profile_social |
| CVE-2025-13888 | 2025-12-15 | Openshift-gitops-operator: openshift gitops: namespace admin cluster takeover via privileged jobs |
| CVE-2025-11393 | 2025-12-15 | Insights-runtimes-tech-preview/runtimes-inventory-rhel8-operator: improper proxy configuration allows unauthorized administrative commands |
| CVE-2025-14038 | 2025-12-15 | EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This could allow an attacker to read potentially sensitive data or possibly cause... |
| CVE-2025-36360 | 2025-12-15 | IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to an Insufficient Session Expiration vulnerability |
| CVE-2025-12035 | 2025-12-15 | Bluetooth: Integer Overflow in Bluetooth Classic (BR/EDR) L2CAP |
| CVE-2025-14148 | 2025-12-15 | IBM DevOps Deploy is susceptible to a Insufficiently Protected Credentials vulnerability |
| CVE-2025-14503 | 2025-12-15 | Overly Permissive Trust Policy in Harmonix on AWS EKS |
| CVE-2025-13489 | 2025-12-15 | IBM DevOps Deploy is susceptible to a Cleartext Transmission of Sensitive Information |
| CVE-2025-59947 | 2025-12-15 | NanoMQ has Buffer Overflow |
| CVE-2025-64725 | 2025-12-15 | Weblate has improper validation upon invitation acceptance |
| CVE-2023-53868 | 2025-12-15 | Coppermine Gallery 1.6.25 Remote Code Execution via Plugin Upload |
| CVE-2023-53869 | 2025-12-15 | WEBIGniter 28.7.23 Unrestricted File Upload Remote Code Execution |
| CVE-2023-53870 | 2025-12-15 | Jorani 1.0.3 Cross-Site Scripting Vulnerability via Language Parameter |
| CVE-2023-53871 | 2025-12-15 | Soosyze 2.0.0 Unrestricted File Upload via Broken Upload Logic |
| CVE-2023-53872 | 2025-12-15 | Wp2Fac 1.0 OS Command Injection via send.php Endpoint |
| CVE-2023-53873 | 2025-12-15 | SyncBreeze 15.2.24 Denial of Service via Login Endpoint Overflow |
| CVE-2023-53874 | 2025-12-15 | GOM Player 2.3.90.5360 Buffer Overflow via Equalizer Preset Name |
| CVE-2023-53875 | 2025-12-15 | GOM Player 2.3.90.5360 Remote Code Execution via Insecure IE Component |
| CVE-2023-53876 | 2025-12-15 | Academy LMS 6.1 Arbitrary File Upload Vulnerability via Profile Settings |
| CVE-2023-53877 | 2025-12-15 | Bus Reservation System 1.1 Multiple SQL Injection via pickup_id Parameter |
| CVE-2023-53878 | 2025-12-15 | Member Login Script 3.3 Client-Side Request Desynchronization Vulnerability |
| CVE-2023-53880 | 2025-12-15 | Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces |
| CVE-2023-53881 | 2025-12-15 | ReyeeOS 1.204.1614 Man-in-the-Middle Remote Code Execution via CWMP |
| CVE-2023-53882 | 2025-12-15 | JLex GuestBook 1.6.4 Reflected Cross-Site Scripting via URL Parameter |
| CVE-2023-53883 | 2025-12-15 | Webedition CMS v2.9.8.8 Remote Code Execution via PHP Page Creation |
| CVE-2023-53884 | 2025-12-15 | Webedition CMS v2.9.8.8 Stored Cross-Site Scripting via SVG Upload |
| CVE-2023-53885 | 2025-12-15 | Webutler v3.2 Remote Code Execution via Arbitrary File Upload |
| CVE-2023-53886 | 2025-12-15 | Xlight FTP Server 3.9.3.6 Stack Buffer Overflow Vulnerability via Execute Program |
| CVE-2023-53887 | 2025-12-15 | Zomplog 3.9 Cross-Site Scripting Vulnerability via Page Creation |
| CVE-2023-53888 | 2025-12-15 | Zomplog 3.9 Remote Code Execution via Authenticated File Manipulation |
| CVE-2023-53889 | 2025-12-15 | Perch CMS 3.2 Remote Code Execution via Unrestricted File Upload |
| CVE-2023-53890 | 2025-12-15 | Perch CMS 3.2 Stored Cross-Site Scripting via SVG File Upload |
| CVE-2023-53891 | 2025-12-15 | Blackcat CMS 1.4 Stored Cross-Site Scripting via Page Modification |
| CVE-2023-53892 | 2025-12-15 | Blackcat CMS 1.4 Remote Code Execution via Jquery Plugin Manager |
| CVE-2023-53893 | 2025-12-15 | Ateme TITAN File 3.9 Authenticated Server-Side Request Forgery Vulnerability |
| CVE-2025-14722 | 2025-12-15 | vion707 DMadmin Backend AddonsController.class.php add cross site scripting |
| CVE-2023-53879 | 2025-12-15 | NVClient 5.0 Stack Buffer Overflow Vulnerability via User Configuration |
| CVE-2025-9122 | 2025-12-15 | Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information |
| CVE-2025-9121 | 2025-12-15 | Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data |
| CVE-2025-64338 | 2025-12-15 | ClipBucket's Manage Photos Feature is Vulnerable to Stored XSS via Collection Name |
| CVE-2025-14729 | 2025-12-15 | CTCMS Content Management System Backend App Configuration Ct_App.php save code injection |
| CVE-2025-14730 | 2025-12-15 | CTCMS Content Management System Backend System Configuration Ct_Config.php code injection |
| CVE-2025-58173 | 2025-12-15 | FreshRSS vulnerable to authenticated RCE via path traversal inside include() |
| CVE-2025-66402 | 2025-12-15 | misskey.js's export data contains private post data |
| CVE-2025-66482 | 2025-12-15 | Misskey has a login rate limit bypass via spoofed X-Forwarded-For header |
| CVE-2025-14593 | 2025-12-15 | CATPART File Parsing Out-of-Bounds Read Vulnerability |
| CVE-2025-14731 | 2025-12-15 | CTCMS Content Management System Frontend/Template Management CT_Parser.php special elements used in a template engine |
| CVE-2025-9452 | 2025-12-15 | SLDPRT File Parsing Memory Corruption Vulnerability |
| CVE-2025-9453 | 2025-12-15 | PRT File Parsing Out-of-Bounds Read Vulnerability |
| CVE-2025-9454 | 2025-12-15 | PRT File Parsing Out-of-Bounds Read Vulnerability |
| CVE-2025-9455 | 2025-12-15 | CATPRODUCT File Parsing Out-of-Bounds Read Vulnerability |
| CVE-2025-66407 | 2025-12-15 | Weblate has Server-Side Request Forgery vulnerability |
| CVE-2025-9456 | 2025-12-15 | SLDPRT File Parsing Memory Corruption Vulnerability |
| CVE-2025-9457 | 2025-12-15 | PRT File Parsing Memory Corruption Vulnerability |
| CVE-2025-9459 | 2025-12-15 | SLDPRT File Parsing Out-of-Bounds Read Vulnerability |
| CVE-2025-9460 | 2025-12-15 | SLDPRT File Parsing Out-of-Bounds Read Vulnerability |
| CVE-2025-10881 | 2025-12-15 | CATPRODUCT File Parsing Heap-Based Overflow Vulnerability |
| CVE-2025-10882 | 2025-12-15 | X_T File Parsing Out-of-Bounds Write Vulnerability |
| CVE-2025-10883 | 2025-12-15 | CATPRODUCT File Parsing Out-of-Bounds Read Vulnerability |
| CVE-2025-10884 | 2025-12-15 | CATPART File Parsing Out-of-Bounds Write Vulnerability |
| CVE-2025-10886 | 2025-12-15 | MODEL File Parsing Memory Corruption Vulnerability |
| CVE-2025-10887 | 2025-12-15 | MODEL File Parsing Memory Corruption Vulnerability |
| CVE-2025-10888 | 2025-12-15 | MODEL File Parsing Out-of-Bounds Write Vulnerability |