Skip to main content
CVE-2025-25279 CRITICAL PATCH CERT-EU Act Now

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 29.3% and no vendor patch available.

Path Traversal Mattermost Server Suse
NVD
CVSS 3.1
9.9
EPSS
29.3%
CVE-2025-27140 CRITICAL POC PATCH Act Now

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection PHP RCE Wegia
NVD GitHub
CVSS 4.0
10.0
EPSS
6.0%
CVE-2025-22974 CRITICAL POC Act Now

SQL Injection vulnerability in SeaCMS v.13.2 and before allows a remote attacker to execute arbitrary code via the DoTranExecSql parameter in the phome.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Seacms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-25513 CRITICAL POC Act Now

Seacms <=13.3 is vulnerable to SQL Injection in admin_members.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Seacms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-56897 CRITICAL POC Act Now

Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Yi Car Dashcam Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-27133 CRITICAL POC PATCH Act Now

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SQLi Wegia
NVD GitHub
CVSS 4.0
9.4
EPSS
0.5%
CVE-2025-27112 MEDIUM POC PATCH THREAT This Month

Navidrome is an open source web-based music collection server and streamer. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 12.9%.

Authentication Bypass Navidrome Suse
NVD GitHub
CVSS 4.0
6.9
EPSS
12.9%
CVE-2025-26200 HIGH POC This Week

SQL injection in SLIMS v.9.6.1 allows a remote attacker to escalate privileges via the month parameter in the visitor_report_day.php component. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Senayan Library Management System
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-27364 CRITICAL Act Now

In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
4.6%
CVE-2024-57026 MEDIUM POC This Month

TawkTo Widget Version <= 1.3.7 is vulnerable to Cross Site Scripting (XSS) due to processing user input in a way that allows JavaScript execution. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Tawk To
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-13822 MEDIUM POC This Month

The Photo Contest | Competition | Video Contest WordPress plugin through 2.8.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Totalcontest
NVD WPScan
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-54820 CRITICAL Act Now

XOne Web Monitor v02.10.2024.530 framework 1.0.4.9 was discovered to contain a SQL injection vulnerability in the login page. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2025-20051 CRITICAL PATCH CERT-EU Act Now

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Mattermost Server Suse
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2024-53544 CRITICAL Act Now

NovaCHRON Zeitsysteme GmbH & Co. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-56525 CRITICAL Act Now

In Public Knowledge Project (PKP) OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create a new role as super admin in the journal context, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-24490 CRITICAL CERT-EU Act Now

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Mattermost Server
NVD
CVSS 3.1
9.6
EPSS
0.3%
CVE-2025-1610 MEDIUM POC This Month

A vulnerability was found in LB-LINK AC1900 Router 1.0.2 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Ac1900 Firmware
NVD VulDB
CVSS 4.0
5.3
EPSS
0.8%
CVE-2025-1609 MEDIUM POC This Month

A vulnerability has been found in LB-LINK AC1900 Router 1.0.2 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Ac1900 Firmware
NVD VulDB
CVSS 4.0
5.3
EPSS
0.8%
CVE-2025-1608 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in LB-LINK AC1900 Router 1.0.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Ac1900 Firmware
NVD VulDB
CVSS 4.0
5.3
EPSS
0.8%
CVE-2025-1599 MEDIUM POC This Month

A vulnerability was found in SourceCodester Best Church Management Software 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Best Church Management Software
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.6%
CVE-2024-12308 MEDIUM POC This Month

The Logo Slider WordPress plugin before 4.6.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Logo Slider
NVD WPScan
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-1598 MEDIUM POC This Month

A vulnerability was found in SourceCodester Best Church Management Software 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload Best Church Management Software
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-1606 MEDIUM POC This Month

A vulnerability classified as problematic was found in SourceCodester Best Employee Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Best Employee Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-1607 MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in SourceCodester Best Employee Management System 1.0.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Best Employee Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-26201 CRITICAL Act Now

Credential disclosure vulnerability via the /staff route in GreaterWMS <= 2.1.49 allows a remote unauthenticated attackers to bypass authentication and escalate privileges. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
CVE-2025-1611 MEDIUM POC This Month

A vulnerability was found in ShopXO up to 6.4.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Shopxo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-25460 MEDIUM POC This Month

A stored Cross-Site Scripting (XSS) vulnerability was identified in FlatPress 1.3.1 within the "Add Entry" feature. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Flatpress
NVD GitHub
CVSS 3.1
4.8
EPSS
1.2%
CVE-2025-1632 MEDIUM POC PATCH This Month

A vulnerability was found in libarchive up to 3.7.7. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Libarchive Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.2%
CVE-2024-12918 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agito Computer Health4All allows SQL Injection.01.2025. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-12916 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agito Computer Life4All allows SQL Injection.01.2025. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-27276 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in lizeipe Photo Gallery ( Responsive ) allows Privilege Escalation.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-13605 MEDIUM POC This Month

The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Form Maker
NVD WPScan
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-26525 HIGH PATCH This Week

Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Path Traversal Moodle
NVD
CVSS 3.1
8.6
EPSS
0.3%
CVE-2025-27312 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jenst WP Sitemap allows SQL Injection.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2024-55898 HIGH This Week

IBM i 7.2, 7.3, 7.4, and 7.5 could allow a user with the capability to compile or restore a program to gain elevated privileges due to an unqualified library call. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure IBM
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-22495 HIGH This Week

An improper input validation vulnerability was discovered in the NTP server configuration field of the Network-M2 card. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection
NVD
CVSS 3.1
8.4
EPSS
0.2%
CVE-2025-26530 HIGH PATCH This Week

The question bank filter required additional sanitizing to prevent a reflected XSS risk. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Moodle
NVD
CVSS 3.1
8.3
EPSS
0.3%
CVE-2025-26529 HIGH PATCH This Week

Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Moodle
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2024-12917 HIGH This Week

Files or Directories Accessible to External Parties vulnerability in Agito Computer Health4All allows Exploiting Incorrectly Configured Access Control Security Levels, Authentication Abuse.01.2025. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Path Traversal
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2025-27298 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in cmstactics WP Video Posts allows OS Command Injection.5.1. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Command Injection CSRF
NVD
CVSS 3.1
8.3
EPSS
0.1%
CVE-2025-26533 HIGH PATCH This Week

An SQL injection risk was identified in the module list filter within course search. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

SQLi Moodle
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2023-52926 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: IORING_OP_READ did not correctly consume the provided buffer list when read i/o returned < 0 (except for -EAGAIN and -EIOCBQUEUED. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Linux Information Disclosure Linux Kernel +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-27297 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in guelben Bravo Search & Replace allows Blind SQL Injection.0. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-27272 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in vinagecko VG PostCarousel allows PHP Local File Inclusion.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-27301 HIGH This Week

Deserialization of Untrusted Data vulnerability in Nazmul Hasan Robin NHR Options Table Manager allows Object Injection.1.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-27300 HIGH This Week

Deserialization of Untrusted Data vulnerability in giuliopanda ADFO allows Object Injection.9.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-27296 HIGH This Week

Missing Authorization vulnerability in revenueflex Auto Ad Inserter - Increase Google Adsense and Ad Manager Revenue allows Exploiting Incorrectly Configured Access Control Security Levels.5. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-27352 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wumii team 无觅相关文章插件 allows Stored XSS.0.5.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-27355 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Nicolas GRILLET Woocommerce - Loi Hamon allows Stored XSS.1.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-27332 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in gmnazmul Smart Maintenance & Countdown allows Stored XSS.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy