CVE & Security
Advisory Details

CVE-2025-53376High

OS Command Injection

A critical OS command injection vulnerability was discovered in Dokploy that allows attackers to execute arbitrary system commands.

Platform: DokployType: OS Command Injection

CVE-2025-53375High

Local File Inclusion

A local file inclusion vulnerability in Dokploy allows unauthorized access to sensitive files on the server.

Platform: DokployType: Local File Inclusion

CVE-2025-53374Medium

Information Disclosure

An information disclosure vulnerability in Dokploy exposes sensitive configuration and system information.

Platform: DokployType: Information Disclosure

CVE-2025-20307Medium

Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability in Cisco BroadWorks Application Delivery Platform could allow an attacker to execute arbitrary JavaScript code.

Platform: Cisco BroadWorksType: Cross-Site Scripting (XSS)

pfSense-SA-25_07.webguiHigh

Stored XSS in Wake on LAN pages and Dashboard widget

A stored cross-site scripting vulnerability was discovered in pfSense's Wake on LAN pages and Dashboard widget.

Platform: pfSenseType: Stored XSS

pfSense-SA-25_06.webguiHigh

Stored XSS in IPsec Phase 1

A stored cross-site scripting vulnerability exists in the IPsec Phase 1 configuration of pfSense.

Platform: pfSenseType: Stored XSS

pfSense-SA-25_05.webguiHigh

Stored XSS in Firewall Schedules

A stored cross-site scripting vulnerability was identified in pfSense Firewall Schedules configuration.

Platform: pfSenseType: Stored XSS

CVE-2025-27500Critical

Unauthenticated Stored XSS on admin panel

An unauthenticated stored cross-site scripting vulnerability in OpenZiti's admin panel allows remote attackers to execute arbitrary JavaScript.

Platform: OpenZitiType: Unauthenticated Stored XSS

CVE-2025-27501Critical

Unauthenticated SSRF on admin panel

An unauthenticated server-side request forgery (SSRF) vulnerability in OpenZiti's admin panel enables attackers to access internal resources.

Platform: OpenZitiType: Unauthenticated SSRF

CVE-2023-4691Critical

Bookly ≤ 22.3.1 — Authenticated (Administrator+) SQL Injection

An authenticated SQL injection vulnerability in Bookly plugin versions up to 22.3.1 allows administrators to execute arbitrary SQL queries.

Plugin: BooklyType: SQL Injection

CVE-2023-4620Critical

Booking Calendar ≤ 9.7.3 — Unauthenticated Stored Cross-Site Scripting

An unauthenticated stored XSS vulnerability in Booking Calendar plugin allows attackers to inject malicious scripts.

Plugin: Booking CalendarType: Stored XSS

CVE-2023-4490Critical

WP Job Portal ≤ 2.0.5 — Unauthenticated SQL Injection

An unauthenticated SQL injection vulnerability in WP Job Portal allows remote attackers to extract sensitive database information.

Plugin: WP Job PortalType: SQL Injection

CVE-2023-4502High

GTranslate ≤ 3.0.3 — Authenticated (Administrator+) Cross-Site Scripting

Multiple authenticated XSS vulnerabilities in GTranslate plugin allow administrators to inject malicious scripts via multiple parameters.

Plugin: GTranslateType: Cross-Site Scripting

CVE-2023-1465Medium

WP EasyPay ≤ 4.0.4 — Reflected Cross-Site Scripting

A reflected XSS vulnerability in WP EasyPay plugin allows attackers to execute JavaScript in user browsers.

Plugin: WP EasyPayType: Reflected XSS

CVE-2023-1546Medium

MyCryptoCheckout ≤ 2.123 — Reflected Cross-Site Scripting via URL

A reflected XSS vulnerability via URL parameters in MyCryptoCheckout plugin enables script injection attacks.

Plugin: MyCryptoCheckoutType: Reflected XSS

CVE-2023-1554High

Quick Paypal Payments ≤ 5.7.26.3 — Authenticated (Administrator+) Stored XSS

An authenticated stored XSS vulnerability in Quick Paypal Payments plugin allows administrators to persistently inject malicious scripts.

Plugin: Quick Paypal PaymentsType: Stored XSS