Skip to main content
CVE-2025-0108 HIGH POC KEV THREAT Act Now

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers to invoke PHP scripts, potentially leading to system compromise when chained with other vulnerabilities.

RCE PHP Authentication Bypass Paloalto Pan Os
NVD GitHub
CVSS 4.0
8.8
EPSS
94.1%
Threat
7.6
CVE-2025-0111 HIGH KEV THREAT Act Now

Palo Alto Networks PAN-OS management interface contains an authenticated file read vulnerability allowing reading of files accessible to the 'nobody' user, exploited alongside CVE-2025-0108 for configuration extraction.

Information Disclosure Paloalto Pan Os
NVD
CVSS 4.0
7.1
EPSS
3.6%
CVE-2025-25742 CRITICAL POC Act Now

D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the AccountPassword parameter in the SetSysEmailSettings module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Memory Corruption Buffer Overflow Dir 853 Firmware
NVD
CVSS 3.1
9.8
EPSS
4.2%
CVE-2024-57604 CRITICAL POC PATCH Act Now

An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the token component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Ezbookkeeping Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
2.5%
CVE-2024-57602 CRITICAL POC Act Now

An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Privilege Escalation Easyappointments
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2025-25746 CRITICAL POC Act Now

D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the Password parameter in the SetWanSettings module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Memory Corruption Buffer Overflow Dir 853 Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2025-25744 CRITICAL POC Act Now

D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the Password parameter in the SetDynamicDNSSettings module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Memory Corruption Buffer Overflow Dir 853 Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2025-25343 CRITICAL POC Act Now

Tenda AC6 V15.03.05.16 firmware has a buffer overflow vulnerability in the formexeCommand function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Buffer Overflow Ac6 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-25351 CRITICAL POC Act Now

PHPGurukul Daily Expense Tracker System v1.1 is vulnerable to SQL Injection in /dets/add-expense.php via the dateexpense parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Daily Expense Tracker System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-25349 CRITICAL POC Act Now

PHPGurukul Daily Expense Tracker System v1.1 is vulnerable to SQL Injection in /dets/add-expense.php via the costitem parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Daily Expense Tracker System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-23359 HIGH POC PATCH This Week

NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Nvidia Information Disclosure RCE Denial Of Service Nvidia Container Toolkit +3
NVD
CVSS 3.1
8.3
EPSS
3.7%
CVE-2025-25205 HIGH POC PATCH This Week

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Authentication Bypass Denial Of Service Audiobookshelf
NVD GitHub
CVSS 3.1
8.2
EPSS
0.6%
CVE-2025-25198 HIGH POC This Week

mailcow: dockerized is an open source groupware/email suite based on docker. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Docker Mailcow
NVD GitHub Exploit-DB
CVSS 3.1
7.1
EPSS
5.8%
CVE-2025-25743 HIGH POC This Week

D-Link DIR-853 A1 FW1.20B07 was discovered to contain a command injection vulnerability in the SetVirtualServerSettings module. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Command Injection Dir 853 Firmware
NVD
CVSS 3.1
7.2
EPSS
1.9%
CVE-2025-1226 MEDIUM POC This Month

A vulnerability was found in ywoa up to 2024.07.03. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Yimioa
NVD VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2024-13365 CRITICAL PATCH Act Now

The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload Security Malware Scan
NVD
CVSS 3.1
9.8
EPSS
4.2%
CVE-2024-10960 CRITICAL PATCH Act Now

The Brizy - Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in all versions up to, and including, 2.6.4. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload Brizy
NVD
CVSS 3.1
9.9
EPSS
3.7%
CVE-2024-12379 MEDIUM POC This Month

A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Gitlab Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-57603 MEDIUM POC PATCH This Month

An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the lack of rate limiting. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Ezbookkeeping Suse
NVD GitHub
CVSS 3.1
6.3
EPSS
0.4%
CVE-2025-1100 CRITICAL Act Now

A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2024-57601 MEDIUM POC This Month

Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbitrary code via the legal_settings parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Easyappointments
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-26359 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2025-26344 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-26342 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-26341 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-26339 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-26345 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-26347 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-25184 MEDIUM POC PATCH This Month

Rack provides an interface for developing web applications in Ruby. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Rack Red Hat Suse
NVD GitHub
CVSS 4.0
5.7
EPSS
1.1%
CVE-2024-12213 CRITICAL Act Now

The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.76. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-13421 CRITICAL Act Now

The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation Real Estate 7
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-25741 MEDIUM POC This Month

D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the IPv6_PppoePassword parameter in the SetIPv6PppoeSettings module. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Buffer Overflow Stack Overflow Dir 853 Firmware
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-56939 MEDIUM POC This Month

LearnDash v6.7.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the ld-comment-body class. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Learndash
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-56938 MEDIUM POC This Month

LearnDash v6.7.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the materials-content class. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Learndash
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-57605 MEDIUM POC This Month

Cross Site Scripting vulnerability in Daylight Studio Fuel CMS v.1.5.2 allows an attacker to escalate privileges via the /fuel/blocks/ and /fuel/pages components. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Fuel Cms
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-32838 CRITICAL Act Now

SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Fineract
NVD
CVSS 4.0
9.4
EPSS
0.1%
CVE-2025-25182 CRITICAL Act Now

Stroom is a data processing, storage and analysis platform. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SSRF Authentication Bypass
NVD GitHub
CVSS 3.1
9.4
EPSS
0.0%
CVE-2025-1225 MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in ywoa up to 2024.07.03.java of the component WXCallBack Interface. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Java Yimioa
NVD VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2025-26361 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.1
EPSS
1.2%
CVE-2025-1191 MEDIUM POC This Month

A vulnerability was found in SourceCodester Multi Restaurant Table Reservation System 1.0 and classified as critical.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Multi Restaurant Table Reservation System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-1184 MEDIUM POC This Month

A vulnerability was found in pihome-shc PiHome 1.77 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Maxair
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-1214 MEDIUM POC This Month

A vulnerability classified as critical has been found in pihome-shc PiHome 2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Maxair
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-1188 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in Codezips Gym Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Gym Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-1224 MEDIUM POC This Month

A vulnerability classified as critical was found in ywoa up to 2024.07.03. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Yimioa
NVD VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-1202 MEDIUM POC This Month

A vulnerability classified as critical has been found in SourceCodester Best Church Management Software 1.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Best Church Management Software
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-1200 MEDIUM POC This Month

A vulnerability was found in SourceCodester Best Church Management Software 1.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Best Church Management Software
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-1216 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in ywoa up to 2024.07.03.xml. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Yimioa
NVD VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-1227 MEDIUM POC This Month

A vulnerability was found in ywoa up to 2024.07.03. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Yimioa
NVD VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-1201 MEDIUM POC This Month

A vulnerability was found in SourceCodester Best Church Management Software 1.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Best Church Management Software
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-1185 MEDIUM POC This Month

A vulnerability was found in pihome-shc PiHome 2.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Maxair
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
Page 1 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy