Skip to main content
CVE-2025-25279 CRITICAL PATCH CERT-EU Act Now

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 29.3% and no vendor patch available.

Path Traversal Mattermost Server Suse
NVD
CVSS 3.1
9.9
EPSS
29.3%
CVE-2025-27140 CRITICAL POC PATCH Act Now

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection PHP RCE Wegia
NVD GitHub
CVSS 4.0
10.0
EPSS
6.0%
CVE-2025-22974 CRITICAL POC Act Now

SQL Injection vulnerability in SeaCMS v.13.2 and before allows a remote attacker to execute arbitrary code via the DoTranExecSql parameter in the phome.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Seacms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-25513 CRITICAL POC Act Now

Seacms <=13.3 is vulnerable to SQL Injection in admin_members.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Seacms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-56897 CRITICAL POC Act Now

Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Yi Car Dashcam Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-27133 CRITICAL POC PATCH Act Now

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SQLi Wegia
NVD GitHub
CVSS 4.0
9.4
EPSS
0.5%
CVE-2025-27364 CRITICAL Act Now

In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
4.6%
CVE-2024-54820 CRITICAL Act Now

XOne Web Monitor v02.10.2024.530 framework 1.0.4.9 was discovered to contain a SQL injection vulnerability in the login page. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2025-20051 CRITICAL PATCH CERT-EU Act Now

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Mattermost Server Suse
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2024-53544 CRITICAL Act Now

NovaCHRON Zeitsysteme GmbH & Co. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-56525 CRITICAL Act Now

In Public Knowledge Project (PKP) OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create a new role as super admin in the journal context, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-24490 CRITICAL CERT-EU Act Now

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Mattermost Server
NVD
CVSS 3.1
9.6
EPSS
0.3%
CVE-2025-26201 CRITICAL Act Now

Credential disclosure vulnerability via the /staff route in GreaterWMS <= 2.1.49 allows a remote unauthenticated attackers to bypass authentication and escalate privileges. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy