CVE List - 2025 / September
Showing 3801 - 3900 of 4322 CVEs for September 2025 (Page 39 of 44)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-43816 | 2025-09-25 | A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through... |
| CVE-2025-11005 | 2025-09-25 | TOTOLINK X6000R Unauthenticated Command Injection Vulnerability |
| CVE-2025-10973 | 2025-09-25 | JackieDYH Resume-management-system show.php sql injection |
| CVE-2025-26482 | 2025-09-25 | Dell PowerEdge Server BIOS and Dell iDRAC9, all versions, contains an Information Disclosure vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information Disclosure. |
| CVE-2025-10974 | 2025-09-25 | giantspatula SewKinect Endpoint calculate pickle.loads deserialization |
| CVE-2025-10975 | 2025-09-25 | GuanxingLu vlarl ZeroMQ reasoning_server.py run_reasoning_server deserialization |
| CVE-2025-10976 | 2025-09-25 | JeecgBoot getDepartUserList improper authorization |
| CVE-2025-10977 | 2025-09-25 | JeecgBoot deleteBatch improper authorization |
| CVE-2025-10978 | 2025-09-25 | JeecgBoot Filter exportXls improper authorization |
| CVE-2025-10979 | 2025-09-25 | JeecgBoot exportXls improper authorization |
| CVE-2025-10980 | 2025-09-25 | JeecgBoot exportXls improper authorization |
| CVE-2025-26258 | 2025-09-26 | Sourcecodester Employee Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via 'Add Designation.' |
| CVE-2025-45994 | 2025-09-26 | An issue in Aranda PassRecovery v1.0 allows attackers to enumerate valid user accounts in Active Directory via sending a crafted POST request to /user/existdirectory/1. |
| CVE-2025-55187 | 2025-09-26 | In DriveLock 24.1.4 before 24.1.5, 24.2.5 before 24.2.6, and 25.1.2 before 25.1.4, attackers can gain elevated privileges. |
| CVE-2025-55847 | 2025-09-26 | Wavlink M86X3A_V240730 contains a buffer overflow vulnerability in the /cgi-bin/ExportAllSettings.cgi file. The vulnerability arises because the Cookie parameter does not properly validate the length of input data. Attackers can exploit... |
| CVE-2025-55848 | 2025-09-26 | An issue was discovered in DIR-823 firmware 20250416. There is an RCE vulnerability in the set_cassword settings interface, as the http_casswd parameter is not filtered by '&'to allow injection of... |
| CVE-2025-56383 | 2025-09-26 | Notepad++ v8.8.3 has a DLL hijacking vulnerability, which can replace the original DLL file to execute malicious code. NOTE: this is disputed by multiple parties because the behavior only occurs... |
| CVE-2025-56463 | 2025-09-26 | Mercusys MW305R 3.30 and below is has a Transport Layer Security (TLS) certificate private key disclosure. |
| CVE-2025-57292 | 2025-09-26 | Todoist v8484 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload functionality. The application fails to properly validate the MIME type and sanitize image metadata. |
| CVE-2025-57692 | 2025-09-26 | PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitrary JavaScript in another user s browser. |
| CVE-2025-58384 | 2025-09-26 | In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc administration interface. |
| CVE-2025-58385 | 2025-09-26 | In DOXENSE WATCHDOC before 6.1.0.5094, private user puk codes can be disclosed for Active Directory registered users (there is hard-coded and predictable data). |
| CVE-2025-59362 | 2025-09-26 | Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. This occurs in asn_build_objid in lib/snmplib/asn1.c. |
| CVE-2025-60017 | 2025-09-26 | Unitree Go2, G1, H1, and B2 devices through 2025-09-20 allow root OS command injection via the hostapd_restart.sh wifi_ssid or wifi_pass parameter (within restart_wifi_ap and restart_wifi_sta). |
| CVE-2025-60250 | 2025-09-26 | Unitree Go2, G1, H1, and B2 devices through 2025-09-20 decrypt BLE packet data by using the df98b715d5c6ed2b25817b6f2554124a key and the 2841ae97419c2973296a0d4bdfe19a4f IV. |
| CVE-2025-60251 | 2025-09-26 | Unitree Go2, G1, H1, and B2 devices through 2025-09-20 accept any handshake secret with the unitree substring. |
| CVE-2025-10981 | 2025-09-26 | JeecgBoot exportXls improper authorization |
| CVE-2025-10987 | 2025-09-26 | YunaiV yudao-cloud HTTP Request transfer improper authorization |
| CVE-2025-10988 | 2025-09-26 | YunaiV ruoyi-vue-pro transfer improper authorization |
| CVE-2025-10989 | 2025-09-26 | yangzongzhuan RuoYi selectAll improper authorization |
| CVE-2025-10992 | 2025-09-26 | roncoo roncoo-pay lookupList improper authorization |
| CVE-2025-10993 | 2025-09-26 | MuYuCMS Template Management admin.php code injection |
| CVE-2025-8906 | 2025-09-26 | Widgets for Tiktok Feed <= 1.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-10178 | 2025-09-26 | CM Business Directory <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-8200 | 2025-09-26 | Mega Elements – Addons for Elementor <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget |
| CVE-2025-10752 | 2025-09-26 | OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Cross-Site Request Forgery |
| CVE-2025-10994 | 2025-09-26 | Open Babel gamessformat.cpp ReadMolecule use after free |
| CVE-2025-10995 | 2025-09-26 | Open Babel zipstreamimpl.h underflow memory corruption |
| CVE-2025-10996 | 2025-09-26 | Open Babel smilesformat.cpp ParseSmiles heap-based overflow |
| CVE-2025-10997 | 2025-09-26 | Open Babel chemkinformat.cpp CheckSpecies heap-based overflow |
| CVE-2025-10998 | 2025-09-26 | Open Babel chemkinformat.cpp ReadReactionQualifierLines null pointer dereference |
| CVE-2025-10999 | 2025-09-26 | Open Babel cacaoformat.cpp SetHilderbrandt null pointer dereference |
| CVE-2025-10173 | 2025-09-26 | ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution <= 4.8.3 - Insufficient Authorization to Authenticated (Editor+) Settings Update |
| CVE-2025-10745 | 2025-09-26 | Banhammer – Monitor Site Traffic, Block Bad Users and Bots <= 3.4.8 - Unauthenticated Protection Mechanism Bypass |
| CVE-2025-9044 | 2025-09-26 | Mapster WP Maps <= 1.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-10377 | 2025-09-26 | System Dashboard <= 2.8.20 - Cross-Site Request Forgery |
| CVE-2025-11000 | 2025-09-26 | Open Babel PQSformat.cpp ReadMolecule null pointer dereference |
| CVE-2025-10037 | 2025-09-26 | Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Admin+) SQL Injection |
| CVE-2025-9984 | 2025-09-26 | Featured Image from URL (FIFU) <= 5.2.7 - Missing Authorization to Password Protected Post Disclosure |
| CVE-2025-9985 | 2025-09-26 | Featured Image from URL (FIFU) <= 5.2.7 - Unauthenticated Information Exposure via Log File |
| CVE-2025-10036 | 2025-09-26 | Featured Image from URL (FIFU) <= 5.2.7 - Authenticated (Admin+) SQL Injection |
| CVE-2025-10747 | 2025-09-26 | WP-DownloadManager <= 1.68.11 - Authenticated (Admin+) Arbitrary File Upload |
| CVE-2025-9490 | 2025-09-26 | Popup Maker <= 1.20.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter |
| CVE-2025-10307 | 2025-09-26 | Backuply – Backup, Restore, Migrate and Clone <= 1.4.8 - Authenticated (Admin+) Arbitrary File Deletion |
| CVE-2025-10137 | 2025-09-26 | Snow Monkey <= 29.1.5 - Unauthenticated Blind Server-Side Request Forgery |
| CVE-2025-10180 | 2025-09-26 | Markdown Shortcode <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-10136 | 2025-09-26 | TweetThis Shortcode <= 1.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-10490 | 2025-09-26 | Zephyr Project Manager <= 3.3.202 - Authenticated (Admin+) Stored Cross-Site Scripting |
| CVE-2025-35027 | 2025-09-26 | Unitree Multiple Robotic Products Command Injection |
| CVE-2025-54831 | 2025-09-26 | Apache Airflow: Connection sensitive details exposed to users with READ permissions |
| CVE-2025-1396 | 2025-09-26 | Username Enumeration in Multiple WSO2 Products with Multi-Attribute Login Enabled |
| CVE-2025-1862 | 2025-09-26 | Authenticated Arbitrary File Upload in Multiple WSO2 Products via BPEL Uploader SOAP Service Leading to Remote Code Execution |
| CVE-2025-59011 | 2025-09-26 | WordPress Traveler Theme < 3.2.3 - Arbitrary Content Deletion Vulnerability |
| CVE-2025-59010 | 2025-09-26 | WordPress Permalink Manager Lite Plugin <= 2.5.1.3 - Sensitive Data Exposure Vulnerability |
| CVE-2025-59002 | 2025-09-26 | WordPress BM Content Builder Plugin < 3.16.3.3 - Arbitrary File Deletion Vulnerability |
| CVE-2025-59012 | 2025-09-26 | WordPress Traveler theme < 3.2.3 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-58919 | 2025-09-26 | WordPress Wide Banner plugin <= 1.0.4 - Broken Access Control vulnerability |
| CVE-2025-58917 | 2025-09-26 | WordPress Quantities and Units for WooCommerce plugin <= 1.0.13 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-58914 | 2025-09-26 | WordPress Di Themes Demo Site Importer plugin <= 1.2 - Cross Site Request Forgery (CSRF) to Plugin Activation vulnerability |
| CVE-2025-48326 | 2025-09-26 | WordPress Acclectic Media Organizer Plugin <= 1.4 - Broken Access Control Vulnerability |
| CVE-2025-48107 | 2025-09-26 | WordPress Uncode theme < 2.9.4.4 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-27006 | 2025-09-26 | WordPress Authorsy Plugin <= 1.0.5 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-4957 | 2025-09-26 | WordPress ProfileGrid plugin <= 5.9.5.7 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-60040 | 2025-09-26 | WordPress wp-mpdf Plugin <= 3.9.1 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-60092 | 2025-09-26 | WordPress Download Manager Plugin <= 3.3.24 - Sensitive Data Exposure Vulnerability |
| CVE-2025-60093 | 2025-09-26 | WordPress Download Manager Plugin <= 3.3.24 - Cross Site Request Forgery (CSRF) Vulnerability |
| CVE-2025-60094 | 2025-09-26 | WordPress Stackable Plugin <= 3.18.1 - Broken Access Control Vulnerability |
| CVE-2025-60095 | 2025-09-26 | WordPress Stackable Plugin <= 3.18.1 - Sensitive Data Exposure Vulnerability |
| CVE-2025-60096 | 2025-09-26 | WordPress TheGem (Elementor) Theme <= 5.10.5 - Broken Access Control Vulnerability |
| CVE-2025-60097 | 2025-09-26 | WordPress TheGem Theme <= 5.10.5 - Broken Access Control Vulnerability |
| CVE-2025-60098 | 2025-09-26 | WordPress Theme My Login Plugin <= 7.1.12 - Broken Access Control Vulnerability |
| CVE-2025-60101 | 2025-09-26 | WordPress Woostify Theme <= 2.4.2 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-60100 | 2025-09-26 | WordPress XStore Theme <= 9.5.3 - Content Injection Vulnerability |
| CVE-2025-60099 | 2025-09-26 | WordPress Embed Any Document Plugin <= 2.7.7 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-60102 | 2025-09-26 | WordPress WPFront User Role Editor Plugin <= 4.2.3 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-60103 | 2025-09-26 | WordPress ListingPro Plugin <= 2.9.8 - Broken Access Control Vulnerability |
| CVE-2025-60104 | 2025-09-26 | WordPress Gallery Custom Links Plugin <= 2.2.5 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-60105 | 2025-09-26 | WordPress Ditty Plugin <= 3.1.58 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-60106 | 2025-09-26 | WordPress EmailKit Plugin <= 1.6.0 - Arbitrary Content Deletion Vulnerability |
| CVE-2025-60107 | 2025-09-26 | WordPress LambertGroup - AllInOne - Banner with Playlist Plugin <= 3.8 - SQL Injection Vulnerability |
| CVE-2025-60108 | 2025-09-26 | WordPress LambertGroup - AllInOne - Banner with Thumbnails Plugin <= 3.8 - SQL Injection Vulnerability |
| CVE-2025-60109 | 2025-09-26 | WordPress LambertGroup - AllInOne - Content Slider Plugin <= 3.8 - SQL Injection Vulnerability |
| CVE-2025-60110 | 2025-09-26 | WordPress AllInOne - Banner Rotator Plugin <= 3.8 - SQL Injection Vulnerability |
| CVE-2025-60111 | 2025-09-26 | WordPress Javo Core Plugin <= 3.0.0.266 - Cross Site Request Forgery (CSRF) Vulnerability |
| CVE-2025-60112 | 2025-09-26 | WordPress aThemes Addons for Elementor Plugin <= 1.1.3 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-60113 | 2025-09-26 | WordPress Groovy Menu Plugin <= 1.4.3 - Cross Site Request Forgery (CSRF) Vulnerability |
| CVE-2025-60114 | 2025-09-26 | WordPress YayCurrency Plugin <= 3.2 - Remote Code Execution (RCE) Vulnerability |
| CVE-2025-60115 | 2025-09-26 | WordPress Instapage Plugin Plugin <= 3.5.12 - Cross Site Request Forgery (CSRF) Vulnerability |
| CVE-2025-60116 | 2025-09-26 | WordPress Grand Conference Theme Custom Post Type Plugin <= 2.6.3 - Broken Access Control Vulnerability |
| CVE-2025-60117 | 2025-09-26 | WordPress Vehica Core Plugin <= 1.0.100 - Cross Site Request Forgery (CSRF) Vulnerability |