Security Vulnerabilities
The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.
CVSS Score
9.8
EPSS Score
0.002
Published
2025-11-19
The ITEL ISO FM SFN Adapter (firmware ISO2 2.0.0.0, WebServer 2.0) is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing them to control the device, modify configurations, and compromise system integrity.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-11-19
A reflected cross-site scripting (XSS) vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 (01). The sle_sSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victim, causes arbitrary JavaScript code to be executed in the victim's browser within the security context of the vulnerable application. This issue could allow attackers to steal session cookies, disclose sensitive information, perform unauthorized actions on behalf of the user, or conduct phishing attacks.
CVSS Score
4.6
EPSS Score
0.0
Published
2025-11-19
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.
This issue affects all current versions.
Users are recommended to upgrade to version 3.5.0, which fixes the issue.
CVSS Score
6.3
EPSS Score
0.007
Published
2025-11-19
Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.
CVSS Score
7.5
EPSS Score
0.002
Published
2025-11-19
A improper neutralization of script-related html tags in a web page (basic xss) vulnerability in Fortinet FortiADC 8.0.0, FortiADC 7.6.0 through 7.6.3, FortiADC 7.4 all versions, FortiADC 7.2 all versions may allow attacker to execute unauthorized code or commands via crafted URL.
CVSS Score
4.7
EPSS Score
0.0
Published
2025-11-19
Insertion of Sensitive Information into Log File vulnerability in upKeeper Solutions upKeeper Manager allows Use of Known Domain Credentials.This issue affects upKeeper Manager: from 5.2.0 before 5.2.12.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-11-19
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Avatars must be enabled in the WordPress install in order to exploit the vulnerability.
CVSS Score
7.2
EPSS Score
0.002
Published
2025-11-19
The Quiz Maker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.7.0.80. This is due to the plugin exposing quiz answers through the ays_quiz_check_answer AJAX action without proper authorization checks. The endpoint only validates a nonce, but that same nonce is publicly available to all site visitors via the quiz_maker_ajax_public localized script data. This makes it possible for unauthenticated attackers to extract sensitive data including quiz answers for any quiz question.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-11-19
Tanium addressed an arbitrary file deletion vulnerability in TanOS.
CVSS Score
5.6
EPSS Score
0.0
Published
2025-11-19