Skip to main content
CVE-2025-25742 CRITICAL POC Act Now

D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the AccountPassword parameter in the SetSysEmailSettings module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Memory Corruption Buffer Overflow Dir 853 Firmware
NVD
CVSS 3.1
9.8
EPSS
4.2%
CVE-2024-57604 CRITICAL POC PATCH Act Now

An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the token component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Ezbookkeeping Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
2.5%
CVE-2024-57602 CRITICAL POC Act Now

An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Privilege Escalation Easyappointments
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2025-25746 CRITICAL POC Act Now

D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the Password parameter in the SetWanSettings module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Memory Corruption Buffer Overflow Dir 853 Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2025-25744 CRITICAL POC Act Now

D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the Password parameter in the SetDynamicDNSSettings module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Memory Corruption Buffer Overflow Dir 853 Firmware
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2025-25343 CRITICAL POC Act Now

Tenda AC6 V15.03.05.16 firmware has a buffer overflow vulnerability in the formexeCommand function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Buffer Overflow Ac6 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-25351 CRITICAL POC Act Now

PHPGurukul Daily Expense Tracker System v1.1 is vulnerable to SQL Injection in /dets/add-expense.php via the dateexpense parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Daily Expense Tracker System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-25349 CRITICAL POC Act Now

PHPGurukul Daily Expense Tracker System v1.1 is vulnerable to SQL Injection in /dets/add-expense.php via the costitem parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Daily Expense Tracker System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-13365 CRITICAL PATCH Act Now

The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload Security Malware Scan
NVD
CVSS 3.1
9.8
EPSS
4.2%
CVE-2024-10960 CRITICAL PATCH Act Now

The Brizy - Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in all versions up to, and including, 2.6.4. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload Brizy
NVD
CVSS 3.1
9.9
EPSS
3.7%
CVE-2025-1100 CRITICAL Act Now

A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2025-26359 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2025-26344 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-26342 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-26341 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-26339 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-26345 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-26347 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-12213 CRITICAL Act Now

The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.76. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-13421 CRITICAL Act Now

The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation Real Estate 7
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-32838 CRITICAL Act Now

SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Fineract
NVD
CVSS 4.0
9.4
EPSS
0.1%
CVE-2025-25182 CRITICAL Act Now

Stroom is a data processing, storage and analysis platform. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SSRF Authentication Bypass
NVD GitHub
CVSS 3.1
9.4
EPSS
0.0%
CVE-2025-26361 CRITICAL Act Now

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
9.1
EPSS
1.2%
CVE-2025-25200 CRITICAL PATCH Act Now

Koa is expressive middleware for Node.js using ES2017 async functions. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Koa
NVD GitHub
CVSS 4.0
9.2
EPSS
0.4%
CVE-2022-31631 CRITICAL PATCH Act Now

In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP SQLi Red Hat Suse
NVD
CVSS 3.1
9.1
EPSS
0.7%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy