Zohocorp ManageEngine ADManager Plus version before 8024 are vulnerable to authenticated command injection vulnerability in the Custom Script component. More information : https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2025-10020.html
An unauthenticated attacker with access to TCP port 12306 of the WorkExaminer server can exploit missing server-side authentication checks to bypass the login prompt in the WorkExaminer Professional console to gain administrative access to...
All WorkExaminer Professional traffic between monitoring client, console and server is transmitted as plain text. This allows an attacker with access to the network to read the transmitted sensitive data. An attacker can also...
Zohocorp ManageEngine Analytics Plus versions 6171 and prior are vulnerable to authenticated SQL Injection via the key update api. More information : https://www.manageengine.com/analytics-plus/CVE-2025-9428.html
The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304. An attacker with network access to this port can use weak hardcoded credentials to...
Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection. More information : https://www.manageengine.com/products/desktop-central/parsing-xml-data.html
ZohoCorp ManageEngine Endpoint Central versions earlier than 11.4.2508.14, 11.4.2516.06, and 11.4.2518.01 are affected by an arbitrary file deletion vulnerability in the agent setup component. More information : https://www.manageengine.com/products/desktop-central/kb/arbitrary-file-deletion-allows-local-privilege-escalation.html
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in giSoft Information Technologies City Guide allows Reflected XSS.This issue affects City Guide: before 1.4.45. More information : https://www.usom.gov.tr/bildirim/tr-25-0350
SolarWinds Observability Self-Hosted is susceptible to SQL injection vulnerability that may display sensitive data using a low-level account. This vulnerability requires authentication from a low-privilege account. More information : https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2025-4_release_notes.htm
Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki – Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki – Lockdown Extension: from master before 1.42....
EasyFlow .NET and EasyFlow AiNet, developed by Digiwin, has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to obtain database administrator credentials via a specific functionality. More information : https://www.twcert.org.tw/en/cp-139-10455-5b9ac-2.html
The FormGent WordPress plugin before 1.0.4 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. More information...
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in The Wikimedia Foundation Mediawiki – PageTriage Extension allows Stored XSS.This issue affects Mediawiki – PageTriage Extension: from master before 1.44....
Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in The Wikimedia Foundation Mediawiki – WikiLove Extension allows Stored XSS.This issue affects Mediawiki – WikiLove Extension: 1.39. More information :...