Skip to main content
CVE-2025-0108 HIGH POC KEV THREAT Act Now

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers to invoke PHP scripts, potentially leading to system compromise when chained with other vulnerabilities.

RCE PHP Authentication Bypass Paloalto Pan Os
NVD GitHub
CVSS 4.0
8.8
EPSS
94.1%
Threat
7.6
CVE-2025-0111 HIGH KEV THREAT Act Now

Palo Alto Networks PAN-OS management interface contains an authenticated file read vulnerability allowing reading of files accessible to the 'nobody' user, exploited alongside CVE-2025-0108 for configuration extraction.

Information Disclosure Paloalto Pan Os
NVD
CVSS 4.0
7.1
EPSS
3.6%
CVE-2025-23359 HIGH POC PATCH This Week

NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Nvidia Information Disclosure RCE Denial Of Service Nvidia Container Toolkit +3
NVD
CVSS 3.1
8.3
EPSS
3.7%
CVE-2025-25205 HIGH POC PATCH This Week

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Authentication Bypass Denial Of Service Audiobookshelf
NVD GitHub
CVSS 3.1
8.2
EPSS
0.6%
CVE-2025-25198 HIGH POC This Week

mailcow: dockerized is an open source groupware/email suite based on docker. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Docker Mailcow
NVD GitHub Exploit-DB
CVSS 3.1
7.1
EPSS
5.8%
CVE-2025-25743 HIGH POC This Week

D-Link DIR-853 A1 FW1.20B07 was discovered to contain a command injection vulnerability in the SetVirtualServerSettings module. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Command Injection Dir 853 Firmware
NVD
CVSS 3.1
7.2
EPSS
1.9%
CVE-2024-13714 HIGH This Week

The All-Images.ai - IA Image Bank and Custom Image creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_get_image_by_url' function in all. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2025-1244 HIGH PATCH This Week

A command injection flaw was found in the text editor Emacs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2025-0376 HIGH This Week

An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab XSS
NVD
CVSS 3.1
8.7
EPSS
1.0%
CVE-2025-26340 HIGH This Week

A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to bypass the authentication via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-26378 HIGH This Week

A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-26375 HIGH This Week

A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-26371 HIGH This Week

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-26369 HIGH This Week

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-0556 HIGH This Week

In Progress® Telerik® Report Server, versions prior to 2025 Q1 (11.0.25.211) when using the older .NET Framework implementation, communication of non-sensitive information between the service agent. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Telerik Report Server
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-12296 HIGH This Week

The Apus Framework plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'import_page_options'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-13653 HIGH This Week

The ZoxPress - The All-In-One WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-34520 HIGH This Week

An authorization bypass vulnerability exists in the Mavenir SCE Application Provisioning Portal, version PORTAL-LBS-R_1_0_24_0, which allows an authenticated 'guest' user to perform unauthorized. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2023-49615 HIGH This Week

Improper input validation in some Intel(R) System Security Report and System Resources Defense firmware may allow a privileged user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.7), this vulnerability is low attack complexity. No vendor patch available.

Intel Privilege Escalation
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2023-49618 HIGH This Week

Improper buffer restrictions in some Intel(R) System Security Report and System Resources Defense firmware may allow a privileged user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.7), this vulnerability is low attack complexity. No vendor patch available.

Intel Buffer Overflow Privilege Escalation
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2024-31155 HIGH This Week

Improper buffer restrictions in the UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.7). No vendor patch available.

Intel Buffer Overflow Privilege Escalation
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2023-49603 HIGH This Week

Race condition in some Intel(R) System Security Report and System Resources Defense firmware may allow a privileged user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.7), this vulnerability is low attack complexity. No vendor patch available.

Intel Race Condition Privilege Escalation
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2023-34440 HIGH PATCH This Week

Improper input validation in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.7).

Intel Privilege Escalation Red Hat Suse
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2023-43758 HIGH PATCH This Week

Improper input validation in UEFI firmware for some Intel(R) processors may allow a privileged user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.7), this vulnerability is low attack complexity.

Intel Privilege Escalation Red Hat Suse
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2024-29214 HIGH PATCH This Week

Improper input validation in UEFI firmware CseVariableStorageSmm for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.7). No vendor patch available.

Intel Privilege Escalation Red Hat Suse
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2024-28127 HIGH PATCH This Week

Improper input validation in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.7). No vendor patch available.

Intel Privilege Escalation Red Hat Suse
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2024-24582 HIGH PATCH This Week

Improper input validation in XmlCli feature for UEFI firmware for some Intel(R) processors may allow privileged user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.7). No vendor patch available.

Intel Privilege Escalation Red Hat Suse
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-0110 HIGH This Week

A command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator with the ability to make gNMI requests to the PAN-OS management web. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Paloalto
NVD
CVSS 4.0
8.6
EPSS
0.1%
CVE-2023-48267 HIGH This Week

Improper buffer restrictions in some Intel(R) System Security Report and System Resources Defense firmware may allow a privileged user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

Intel Buffer Overflow Privilege Escalation
NVD VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2024-36262 HIGH This Week

Race condition in some Intel(R) System Security Report and System Resources Defense firmware may allow a privileged user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.6). No vendor patch available.

Intel Race Condition Privilege Escalation
NVD VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2024-12673 HIGH This Week

An improper privilege vulnerability was reported in a BIOS customization feature of Lenovo Vantage on SMB notebook devices which could allow a local attacker to elevate privileges on the system. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Lenovo
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2024-37355 HIGH This Week

Improper access control in some Intel(R) Graphics software may allow an authenticated user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

Intel Authentication Bypass Privilege Escalation
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2023-31276 HIGH This Week

Heap-based buffer overflow in BMC Firmware for the Intel(R) Server Board S2600WF, Intel(R) Server Board S2600ST, Intel(R) Server Board S2600BP, before version 02.01.0017 and Intel(R) Server Board. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Intel Buffer Overflow Heap Overflow Privilege Escalation
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2024-11343 HIGH This Week

In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), unzipping an archive can lead to arbitrary file system access. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Telerik Document Processing Libraries
NVD
CVSS 3.1
8.3
EPSS
0.3%
CVE-2025-26343 HIGH This Week

A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Maxtime
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-1146 HIGH This Week

CrowdStrike uses industry-standard TLS (transport layer security) to secure communications from the Falcon sensor to the CrowdStrike cloud. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft Information Disclosure Kubernetes Windows
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-26377 HIGH This Week

A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-26368 HIGH This Week

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2024-12386 HIGH PATCH This Week

The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Wp Abstracts
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2024-13800 HIGH This Week

The ConvertPlus plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cp_dismiss_notice' AJAX endpoint. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Denial Of Service Convertplus
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2024-13656 HIGH This Week

The Click Mag - Viral WordPress News Magazine/Blog Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Denial Of Service Click Mag
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2024-13654 HIGH This Week

The ZoxPress - The All-In-One WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Denial Of Service Zoxpress
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-0332 HIGH This Week

In Progress® Telerik® UI for WinForms, versions prior to 2025 Q1 (2025.1.211), using the improper limitation of a target path can lead to decompressing an archive's content into a restricted. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Path Traversal Telerik Ui For Winforms
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-12251 HIGH This Week

In Progress® Telerik® UI for WinUI versions prior to 2025 Q1 (3.0.0), a command injection attack is possible through improper neutralization of hyperlink elements. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2024-51440 HIGH This Week

An issue in Nothing Tech Nothing OS v.2.6 allows a local attacker to escalate privileges via the NtBpfService component. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2024-57951 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: hrtimers: Handle CPU state correctly on hotplug Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway through a. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Linux Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-25199 HIGH PATCH This Week

go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Windows Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2024-46922 HIGH This Week

An issue was discovered in Samsung Mobile Processor Exynos 1480 and 2400. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Samsung Denial Of Service Exynos 1480 Firmware Exynos 2400 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2025-26354 HIGH This Week

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Maxtime
NVD
CVSS 3.1
7.2
EPSS
2.1%
CVE-2025-26366 HIGH This Week

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Maxtime
NVD
CVSS 3.1
7.5
EPSS
0.6%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy