Skip to main content
CVE-2025-24865 CRITICAL POC THREAT Emergency

The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 67.2% and no vendor patch available.

Authentication Bypass Mypro
NVD
CVSS 4.0
10.0
EPSS
67.2%
Threat
5.5
CVE-2025-22896 CRITICAL POC THREAT Emergency

mySCADA myPRO Manager stores credentials in cleartext, which could allow an attacker to obtain sensitive information. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 33.2% and no vendor patch available.

Information Disclosure Mypro
NVD
CVSS 4.0
9.2
EPSS
33.2%
Threat
4.3
CVE-2025-25388 CRITICAL POC Act Now

A SQL Injection vulnerability was found in /admin/edit-propertytype.php in PHPGurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the editid GET request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Land Record System
NVD GitHub
CVSS 3.1
9.8
EPSS
3.0%
CVE-2025-25389 CRITICAL POC Act Now

A SQL Injection vulnerability was found in /admin/forgot-password.php in Phpgurukul Land Record System v1.0, which allows remote attackers to execute arbitrary code via the contactno POST request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Land Record System
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2024-10763 CRITICAL POC Act Now

The Campress theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.35 via the 'campress_woocommerce_get_ajax_products' function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure PHP RCE WordPress Path Traversal +1
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-25286 CRITICAL PATCH Act Now

Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
4.4%
CVE-2023-34399 CRITICAL Act Now

Mercedes-Benz head-unit NTG6 contains functions to import or export profile settings over USB. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow Buffer Overflow Headunit Ntg6 Mercedes Benz User Experience
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-13182 CRITICAL Act Now

The WP Directorybox Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2024-7102 CRITICAL Act Now

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.0 which allows an attacker to trigger a pipeline as another user under certain circumstances. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Privilege Escalation
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-25067 CRITICAL Act Now

mySCADA myPRO Manager is vulnerable to an OS command injection which could allow a remote attacker to execute arbitrary OS commands. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Mypro
NVD
CVSS 4.0
9.3
EPSS
0.9%
CVE-2025-1283 CRITICAL Act Now

The Dingtian DT-R0 Series is vulnerable to an exploit that allows attackers to bypass login requirements by directly navigating to the main page. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Dt R002 Firmware Dt R008 Firmware Dt R016 Firmware Dt R032 Firmware
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-0896 CRITICAL Act Now

Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Orthanc Suse
NVD
CVSS 4.0
9.2
EPSS
0.3%
CVE-2025-1127 CRITICAL Act Now

The vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user and/or modify the contents of any data on the filesystem. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal
NVD
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-1270 CRITICAL Act Now

Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Authentication Bypass H6Web
NVD
CVSS 3.1
9.1
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy