| CVE |
CVSS |
Git URL |
Published |
Description |
| CVE-2025-3535 |
4.3 |
https://github.com/shuanx/burpapifinder/issues/18#issue-2956026808 |
2025-04-13T11:15:14.723 |
A vulnerability has been found in shuanx BurpAPIFinder up to 2.0.2 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file BurpApiFinder.db. The manipulation leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. |
| CVE-2025-3445 |
8.1 |
execution,sensitive |
2025-04-13T22:15:12.870 |
A Path Traversal "Zip Slip" vulnerability has been identified in mholt/archiver in Go. This vulnerability allows using a crafted ZIP file containing path traversal symlinks to create or overwrite files with the user's privileges or application utilizing the library.
When using the archiver.Unarchive functionality with ZIP files, like this: archiver.Unarchive(zipFile, outputDir), A crafted ZIP file can be extracted in such a way that it writes files to the affected system with the same privileges as the application executing this vulnerable functionality. Consequently, sensitive files may be overwritten, potentially leading to privilege escalation, code execution, and other severe outcomes in some cases.
It's worth noting that a similar vulnerability was found in TAR files (CVE-2024-0406). Although a fix was implemented, it hasn't been officially released, and the affected project has since been deprecated. The successor to mholt/archiver is a new project called mholt/archives, and its initial release (v0.1.0) removes the Unarchive() functionality. |
| CVE-2025-2881 |
5.3 |
unauthenticated,sensitive |
2025-04-12T03:15:14.430 |
The Developer Toolbar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file. |
| CVE-2025-2841 |
5.3 |
unauthenticated,sensitive |
2025-04-12T03:15:13.453 |
The Cart66 Cloud plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.7 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file. |
| CVE-2025-32068 |
- |
authentication,bypass |
2025-04-11T17:15:43.317 |
Incorrect Authorization vulnerability in The Wikimedia Foundation Mediawiki - OAuth Extension allows Authentication Bypass.This issue affects Mediawiki - OAuth Extension: from 1.39 through 1.43. |
| CVE-2025-3439 |
9.8 |
unauthenticated,sensitive |
2025-04-11T13:15:41.100 |
The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.1 via deserialization of untrusted input from the 'field_value' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. |
| CVE-2025-23387 |
5.3 |
unauthenticated,authentication,sensitive |
2025-04-11T11:15:42.367 |
A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE rancher allowed unauthenticated users to list all CLI authentication tokens and delete them before the CLI is able to get the token value.This issue affects rancher: from 2.8.0 before 2.8.13, from 2.9.0 before 2.9.7, from 2.10.0 before 2.10.3. |
| CVE-2025-2636 |
9.8 |
execution,unauthenticated,sensitive,bypass |
2025-04-11T05:15:31.013 |
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. |