The Upload.am  WordPress plugin before 1.0.1 is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing users such as contributor to view site options.

CVE Database V5

Detailed information about CVE-2025-12630: CWE-862 Missing Authorization in Upload.am affecting null Upload.am. Get real-time updates, technical details, and mi

CVE-2025-12630: CWE-862 Missing Authorization in Upload.am - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-12630: CWE-862 Missing Authorization in Upload.am

A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Detailed information about CVE-2025-13877: Use of Hard-coded Cryptographic Key in nocobase affecting null nocobase. Get real-time updates, technical details, an

CVE-2025-13877: Use of Hard-coded Cryptographic Key in nocobase - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-13877: Use of Hard-coded Cryptographic Key in nocobase

CVE-2025-64460 is a vulnerability in Django versions prior to 5. 2. 9, 5. 1. 15, and 4. 2. 27 involving inefficient algorithmic complexity in the XML deserialization process. Specifically, the function django. core. serializers.

CVE-2025-64460 is an algorithmic complexity vulnerability classified under CWE-407 found in Django's XML deserialization component, specifically in the getInnerText() function of django.core.serializers.xml_serializer. This vulnerability exists in Django versions 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27, with earlier unsupported versions potentially affected as well. The flaw allows a remote attacker to submit specially crafted XML input that triggers excessive CPU and memory consumption during deserialization, leading to a denial-of-service (DoS) condition. The root cause is inefficient handling of XML input that causes algorithmic complexity to spike, exhausting server resources. Exploitation does not require authentication or user interaction, making it accessible to unauthenticated remote attackers. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to web applications relying on vulnerable Django versions for XML data processing. The issue was responsibly disclosed by Seokchan Yoon and is pending patch releases. The impact is primarily on availability, with potential secondary effects on service reliability and user trust. Given Django's widespread use in web development, especially in Europe, this vulnerability could disrupt critical web services if exploited.

Detailed information about CVE-2025-64460: CWE-407: Inefficient Algorithmic Complexity in djangoproject Django affecting djangoproject Django. Get real-time upd

CVE-2025-64460: CWE-407: Inefficient Algorithmic Complexity in djangoproject Django - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-64460: CWE-407: Inefficient Algorithmic Complexity in djangoproject Django

CVE-2025-13372 is a medium-severity SQL injection vulnerability affecting Django versions 4. 2 before 4. 2. 27, 5. 1 before 5. 1. 15, and 5. 2 before 5. 2. 9.

CVE-2025-13372 is a vulnerability in the Django web framework impacting versions 4.2 prior to 4.2.27, 5.1 prior to 5.1.15, and 5.2 prior to 5.2.9. The issue arises from improper neutralization of special elements in SQL commands (CWE-89), specifically within the FilteredRelation feature when used with PostgreSQL databases. The vulnerability is triggered when developers use dictionary expansion (**kwargs) to pass dynamic column aliases to QuerySet.annotate() or QuerySet.alias(). By crafting a malicious dictionary, an attacker can inject SQL code into the column aliases, which are not properly sanitized before being incorporated into the SQL query. This can lead to SQL injection attacks that expose confidential data. The vulnerability does not require authentication but does require user interaction, such as submitting crafted input that reaches the vulnerable code path. The CVSS score is 4.3 (medium), reflecting a network attack vector with low complexity and no privileges required, but user interaction is necessary. The flaw affects PostgreSQL backends specifically, and earlier unsupported Django versions may also be vulnerable but were not evaluated. No public exploits have been reported yet. The Django project has acknowledged the issue and released patches in the specified versions to remediate the vulnerability.

Detailed information about CVE-2025-13372: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in djangoproject Django 

CVE-2025-13372: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in djangoproject Django - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-13372: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in djangoproject Django

A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed.

Detailed information about CVE-2025-65187: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-65187: n/a

CVE-2025-65187: n/a

Description

Technical Details

Community Reviews

Related Threats

CVE-2025-12630: CWE-862 Missing Authorization in Upload.am

CVE-2025-13877: Use of Hard-coded Cryptographic Key in nocobase

CVE-2025-64460: CWE-407: Inefficient Algorithmic Complexity in djangoproject Django

CVE-2025-13372: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in djangoproject Django

CVE-2025-63872: n/a

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility