Skip to main content
CVE-2025-23061 CRITICAL POC PATCH THREAT Act Now

Mongoose ODM for Node.js before version 8.9.5 contains a search injection vulnerability when using $where filters with populate() match operations. This is an incomplete fix for CVE-2024-53900, allowing attackers to inject arbitrary MongoDB queries through SpEL-like expressions in nested query parameters.

RCE Code Injection Mongoose
NVD GitHub
CVSS 3.1
9.0
EPSS
55.9%
Threat
5.0
CVE-2024-57726 CRITICAL POC KEV THREAT Emergency

SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.3%
Threat
5.0
CVE-2024-12084 CRITICAL POC PATCH Act Now

A heap-based buffer overflow flaw was found in the rsync daemon. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Heap Overflow Buffer Overflow Rsync Almalinux Arch Linux +4
NVD GitHub
CVSS 3.1
9.8
EPSS
3.5%
CVE-2025-22785 CRITICAL POC Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ComMotion Course Booking System allows SQL Injection.0.5. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
5.1%
CVE-2025-22782 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Web Ready Now WR Price List Manager For Woocommerce allows Upload a Web Shell to a Web Server.0.8. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload WordPress
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2024-48126 CRITICAL This Week

HI-SCAN 6040i Hitrax HX-03-19-I was discovered to contain hardcoded credentials for access to vendor support and service access. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-22146 CRITICAL PATCH This Week

Sentry is a developer-first error tracking and performance monitoring tool. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-22968 CRITICAL POC THREAT Act Now

An issue in D-Link DWR-M972V 1.05SSG allows a remote attacker to execute arbitrary code via SSH using root account without restrictions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 42.1%.

RCE Code Injection D-Link Dwr M972V Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
42.1%
CVE-2024-9636 CRITICAL This Week

The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in versions 2.2.85 to 2.3.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation WordPress
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-12297 CRITICAL This Week

Moxa’s Ethernet switch is vulnerable to an authentication bypass because of flaws in its authorization mechanism. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 4.0
9.2
EPSS
0.2%
CVE-2024-57766 CRITICAL POC Act Now

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/editField. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Mysiteforme
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2024-57764 CRITICAL POC Act Now

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Mysiteforme
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2024-57763 CRITICAL POC Act Now

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Mysiteforme
NVD
CVSS 3.1
9.1
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy