Skip to main content
CVE-2025-1094 HIGH POC PATCH THREAT Act Now

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperly neutralize quoting syntax, enabling SQL injection when function results are used to construct psql input. This vulnerability was used as the initial access vector in the BeyondTrust RS compromise chain.

SQLi PostgreSQL Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
79.7%
Threat
5.5
CVE-2025-24865 CRITICAL POC THREAT Emergency

The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 67.2% and no vendor patch available.

Authentication Bypass Mypro
NVD
CVSS 4.0
10.0
EPSS
67.2%
Threat
5.5
CVE-2025-22896 CRITICAL POC THREAT Emergency

mySCADA myPRO Manager stores credentials in cleartext, which could allow an attacker to obtain sensitive information. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 33.2% and no vendor patch available.

Information Disclosure Mypro
NVD
CVSS 4.0
9.2
EPSS
33.2%
Threat
4.3
CVE-2025-25388 CRITICAL POC Act Now

A SQL Injection vulnerability was found in /admin/edit-propertytype.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the editid GET request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Land Record System
NVD GitHub
CVSS 3.1
9.8
EPSS
3.0%
CVE-2025-25389 CRITICAL POC Act Now

A SQL Injection vulnerability was found in /admin/forgot-password.php in Phpgurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the contactno POST request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Land Record System
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2024-10763 CRITICAL POC Act Now

The Campress theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.35 via the 'campress_woocommerce_get_ajax_products' function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure PHP RCE WordPress Path Traversal +1
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-13346 HIGH Act Now

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.11.13. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 27.6% and no vendor patch available.

RCE WordPress Code Injection Avada
NVD
CVSS 3.1
7.3
EPSS
27.6%
CVE-2025-25357 HIGH POC This Week

A SQL Injection vulnerability was found in /admin/contactus.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the email POST request parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Land Record System
NVD GitHub
CVSS 3.1
7.2
EPSS
2.7%
CVE-2025-25356 HIGH POC This Week

A SQL Injection vulnerability was found in /admin/bwdates-reports-details.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the " todate" POST. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Land Record System
NVD GitHub
CVSS 3.1
7.2
EPSS
2.7%
CVE-2025-25387 HIGH POC This Week

A SQL Injection vulnerability was found in /admin/manage-propertytype.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the propertytype POST. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Land Record System
NVD GitHub
CVSS 3.1
7.2
EPSS
2.0%
CVE-2025-25355 HIGH POC This Week

A SQL Injection vulnerability was found in /admin/bwdates-reports-details.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the fromdate POST. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Land Record System
NVD GitHub
CVSS 3.1
7.2
EPSS
2.0%
CVE-2025-25354 HIGH POC This Week

A SQL Injection was found in /admin/admin-profile.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the contactnumber POST request parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Land Record System
NVD GitHub
CVSS 3.1
7.2
EPSS
2.0%
CVE-2025-25352 HIGH POC This Week

A SQL Injection vulnerability was found in /admin/aboutus.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the pagetitle POST request parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Land Record System
NVD GitHub
CVSS 3.1
7.2
EPSS
2.0%
CVE-2025-25897 HIGH POC This Week

A buffer overflow vulnerability was discovered in TP-Link TL-WR841ND V11 via the 'ip' parameter at /userRpm/WanStaticIpV6CfgRpm.htm. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow TP-Link Denial Of Service Tl Wr841Nd Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-25901 HIGH POC This Week

A buffer overflow vulnerability was discovered in TP-Link TL-WR841ND V11, triggered by the dnsserver1 and dnsserver2 parameters at /userRpm/WanSlaacCfgRpm.htm. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow TP-Link Denial Of Service Tl Wr841Nd Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-25898 HIGH POC This Week

A buffer overflow vulnerability was discovered in TP-Link TL-WR841ND V11 via the pskSecret parameter at /userRpm/WlanSecurityRpm.htm. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow TP-Link Denial Of Service Tl Wr841Nd Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-25286 CRITICAL PATCH Act Now

Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
4.4%
CVE-2024-3303 MEDIUM POC This Month

An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.6.5, starting from 17.7 prior to 17.7.4, and starting from 17.8 prior to 17.8.2, which allows an attacker to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Gitlab Code Injection
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-12586 MEDIUM POC This Month

The Chalet-Montagne.com Tools WordPress plugin through 2.7.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Chalet Montagne Com Tools
NVD WPScan
CVSS 3.1
6.1
EPSS
0.3%
CVE-2023-34399 CRITICAL Act Now

Mercedes-Benz head-unit NTG6 contains functions to import or export profile settings over USB. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow Buffer Overflow Headunit Ntg6 Mercedes Benz User Experience
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-13182 CRITICAL Act Now

The WP Directorybox Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2024-7102 CRITICAL Act Now

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.0 which allows an attacker to trigger a pipeline as another user under certain circumstances. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Privilege Escalation
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-25067 CRITICAL Act Now

mySCADA myPRO Manager is vulnerable to an OS command injection which could allow a remote attacker to execute arbitrary OS commands. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Mypro
NVD
CVSS 4.0
9.3
EPSS
0.9%
CVE-2024-54951 MEDIUM POC This Month

Monica 4.1.2 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Monica
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2025-1283 CRITICAL Act Now

The Dingtian DT-R0 Series is vulnerable to an exploit that allows attackers to bypass login requirements by directly navigating to the main page. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Dt R002 Firmware Dt R008 Firmware Dt R016 Firmware Dt R032 Firmware
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-0896 CRITICAL Act Now

Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Orthanc Suse
NVD
CVSS 4.0
9.2
EPSS
0.3%
CVE-2025-1127 CRITICAL Act Now

The vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user and/or modify the contents of any data on the filesystem. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal
NVD
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-1270 CRITICAL Act Now

Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Authentication Bypass H6Web
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2024-13120 MEDIUM POC This Month

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Profilepress
NVD WPScan
CVSS 3.1
4.8
EPSS
0.3%
CVE-2024-13119 MEDIUM POC This Month

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Profilepress
NVD WPScan
CVSS 3.1
4.8
EPSS
0.2%
CVE-2025-26511 HIGH PATCH This Week

Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-1059 HIGH This Week

cause communications to stop when malicious packets are sent to the webserver of the device. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
NVD
CVSS 4.0
8.7
EPSS
0.4%
CVE-2025-24861 HIGH This Week

An attacker may inject commands via specially-crafted post requests. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Mojave Inverter Oghi8048A Firmware
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-26473 HIGH This Week

The Mojave Inverter uses the GET method for sensitive information. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mojave Inverter Oghi8048A Firmware
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2025-25281 HIGH This Week

An attacker may modify the URL to discover sensitive information about the target network. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mojave Inverter Oghi8048A Firmware
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2025-1060 HIGH This Week

of data when network traffic is being sniffed by an attacker. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-24888 HIGH This Week

The SecureDrop Client is a desktop application for journalists to communicate with sources and work with submissions on the SecureDrop Workstation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Path Traversal
NVD GitHub
CVSS 3.1
8.1
EPSS
3.1%
CVE-2025-0327 HIGH This Week

trail data and the other acting as server managing client request) that could cause a loss of Confidentiality, Integrity and Availability of engineering workstation when an attacker with standard. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Privilege Escalation Windows
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-24903 HIGH This Week

libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Java
NVD GitHub
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-24904 HIGH This Week

libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Java
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2024-8266 MEDIUM POC This Month

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.6.0, which allows an attacker with maintainer role to trigger a pipeline as project owner under certain. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Gitlab Privilege Escalation
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2025-1247 HIGH PATCH This Week

Quarkus REST endpoints using field injection without CDI scope annotation leak request parameters across concurrent HTTP requests, enabling authenticated attackers to manipulate data, impersonate users, or access sensitive information belonging to other concurrent sessions. Red Hat has confirmed the vulnerability (CVE-2025-1247) with a CVSS score of 8.3, affecting Quarkus-based applications. The EPSS score of 0.18% (40th percentile) indicates relatively low predicted exploitation probability, and no public exploit identified at time of analysis.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2024-13770 HIGH This Week

The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2.4 via deserialization of. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure WordPress PHP Deserialization Puzzles
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-22960 HIGH This Week

A session hijacking vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Authentication Bypass
NVD GitHub
CVSS 3.1
8.0
EPSS
0.3%
CVE-2025-22961 HIGH This Week

A critical information disclosure vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters due to Incorrect Access Control (CWE-284). Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
8.0
EPSS
0.3%
CVE-2025-21700 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Linux Privilege Escalation Linux Kernel +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2023-34402 HIGH This Week

Mercedes-Benz head-unit NTG6 contains functions to import or export profile settings over USB. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Headunit Ntg6 Mercedes Benz User Experience
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2024-12013 HIGH This Week

A CWE-1392 “Use of Default Credentials” was discovered affecting the 130.8005 TCP/IP Gateway running firmware version 12h. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
7.6
EPSS
0.4%
CVE-2024-12011 HIGH This Week

A CWE-126 “Buffer Over-read” was discovered affecting the 130.8005 TCP/IP Gateway running firmware version 12h. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Buffer Overflow
NVD
CVSS 3.1
7.6
EPSS
0.2%
CVE-2023-34400 HIGH This Week

Mercedes-Benz head-unit NTG6 contains functions to import or export profile settings over USB. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Denial Of Service Headunit Ntg6 Mercedes Benz User Experience
NVD
CVSS 3.1
7.5
EPSS
0.4%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy