Security Vulnerabilities
CMSimple 5.2 contains a stored cross-site scripting vulnerability in the Filebrowser External input field that allows attackers to inject malicious JavaScript. Attackers can place unfiltered JavaScript code that executes when users click on Page or Files tabs, enabling persistent script injection.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-12-23
CMSimple 5.4 contains a cross-site scripting vulnerability that allows attackers to bypass input filtering by using HTML to Unicode encoding. Attackers can inject malicious scripts by encoding payloads like ')-alert(1)// and execute arbitrary JavaScript when victims interact with delete buttons.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-12-23
Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CS_message', and 'name' to execute arbitrary JavaScript code in victim's browsers by submitting crafted payloads through application endpoints.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-12-23
Netgear EX8000 V1.0.0.126 is vulnerable to Command Injection via the iface parameter in the action_bandwidth function.
CVSS Score
6.5
EPSS Score
0.043
Published
2025-12-23
Netgear EX8000 V1.0.0.126 was discovered to contain a command injection vulnerability via the switch_status function.
CVSS Score
9.8
EPSS Score
0.005
Published
2025-12-23
eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections.
CVSS Score
10.0
EPSS Score
0.0
Published
2025-12-23
A reflected Cross-Site Scripting (XSS) vulnerability has been identified in TechStore version 1.0. The user_name endpoint reflects the id query parameter directly into the HTML response without output encoding or sanitization, allowing execution of arbitrary JavaScript code in a victim’s browser.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-12-23
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-12-23
The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-12-23
Local Deep Research is an AI-powered research assistant for deep, iterative research. In versions from 1.3.0 to before 1.3.9, the download service (download_service.py) makes HTTP requests using raw requests.get() without utilizing the application's SSRF protection (safe_requests.py). This can allow attackers to access internal services and attempt to reach cloud provider metadata endpoints (AWS/GCP/Azure), as well as perform internal network reconnaissance, by submitting malicious URLs through the API, depending on the deployment and surrounding controls. This issue has been patched in version 1.3.9.
CVSS Score
6.3
EPSS Score
0.0
Published
2025-12-23