Skip to main content
CVE-2025-25789 CRITICAL POC Act Now

FoxCMS v1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the index() method at \controller\Sitemap.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection Foxcms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2025-25784 CRITICAL POC Act Now

An arbitrary file upload vulnerability in the component \c\TemplateController.php of Jizhicms v2.5.4 allows attackers to execute arbitrary code via uploading a crafted Zip file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload Jizhicms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-25790 CRITICAL POC Act Now

An arbitrary file upload vulnerability in the component \controller\LocalTemplate.php of FoxCMS v1.2.5 allows attackers to execute arbitrary code via uploading a crafted Zip file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload Foxcms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-53573 CRITICAL POC Act Now

Unifiedtransform v2.X is vulnerable to Incorrect Access Control. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Unifiedtransform
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-53427 HIGH POC PATCH This Week

decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as. Rated high severity (CVSS 8.1), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Jq Red Hat Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2024-57040 CRITICAL Act Now

TL-WR845N(UN)_V4_200909 and TL-WR845N(UN)_V4_190219 was discovered to contain a hardcoded password for the root account which can be obtained by analyzing downloaded firmware or via a brute force. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
8.5%
CVE-2024-55581 HIGH POC This Week

When AdaCore Ada Web Server 25.0.0 is linked with GnuTLS, the default behaviour of AWS.Client is vulnerable to a man-in-the-middle attack because of lack of verification of an HTTPS server's. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Ada Web Server Debian Linux
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2024-10152 HIGH POC This Week

The Simple Certain Time to Show Content WordPress plugin before 1.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simple Certain Time To Show Content
NVD WPScan
CVSS 3.1
7.1
EPSS
1.5%
CVE-2024-12878 HIGH POC This Week

The Custom Block Builder WordPress plugin before 3.8.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Lazy Blocks
NVD WPScan
CVSS 3.1
7.1
EPSS
0.8%
CVE-2024-13624 HIGH POC This Week

The WPMovieLibrary WordPress plugin through 2.1.4.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wpmovielibrary
NVD WPScan
CVSS 3.1
7.1
EPSS
0.6%
CVE-2024-13633 HIGH POC This Week

The Simple catalogue WordPress plugin through 1.0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simple Catalogue
NVD WPScan
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-13632 HIGH POC This Week

The WP Extra Fields WordPress plugin through 1.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Extra Fields
NVD WPScan
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-13631 HIGH POC This Week

The Om Stripe WordPress plugin through 02.00.00 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Om Stripe
NVD WPScan
CVSS 3.1
7.1
EPSS
0.1%
CVE-2024-13571 HIGH POC This Week

The Post Timeline WordPress plugin before 2.3.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Post Timeline
NVD WPScan
CVSS 3.1
7.1
EPSS
0.1%
CVE-2024-10483 HIGH POC This Week

The Simple:Press Forum WordPress plugin before 6.10.11 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simplepress
NVD WPScan
CVSS 3.1
7.1
EPSS
0.1%
CVE-2024-13634 MEDIUM POC This Month

The Post Sync WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Post Sync
NVD WPScan
CVSS 3.1
6.1
EPSS
0.7%
CVE-2024-12737 MEDIUM POC This Month

The WP BASE Booking of Appointments, Services and Events WordPress plugin before 5.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Base Booking Of Appointments Services And Events
NVD WPScan
CVSS 3.1
6.1
EPSS
0.7%
CVE-2024-13628 MEDIUM POC This Month

The WP Pricing Table WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Pricing Table
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-13630 MEDIUM POC This Month

The NewsTicker WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Newsticker
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2025-1716 MEDIUM POC PATCH This Month

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Picklescan
NVD GitHub
CVSS 4.0
5.3
EPSS
4.2%
CVE-2024-57423 MEDIUM POC This Month

A Cross Site Scripting vulnerability in CloudClassroom-PHP Project v1.0 allows a remote attacker to execute arbitrary code via the exid parameter of the assessment function. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE XSS Cloudclassroom Php Project
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-13678 MEDIUM POC This Month

The R3W InstaFeed WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS R3W Instafeed
NVD WPScan
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-13669 MEDIUM POC This Month

The CalendApp WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Calendapp
NVD WPScan
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-13629 MEDIUM POC This Month

The pushBIZ WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Pushbiz
NVD WPScan
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-25799 MEDIUM POC This Month

SeaCMS 13.3 was discovered to contain an arbitrary file read vulnerability in the file_get_contents function at admin_safe.php. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Path Traversal Seacms
NVD GitHub
CVSS 3.1
6.0
EPSS
0.0%
CVE-2024-13113 MEDIUM POC This Month

The Countdown Timer for Elementor WordPress plugin before 1.3.7 does not sanitise and escape some parameters when outputting them on the page, which could allow users with a role as low as. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Countdown Timer For Elementor Elementor
NVD WPScan
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-25783 CRITICAL Act Now

An arbitrary file upload vulnerability in the component admin\plugin.php of Emlog Pro v2.5.3 allows attackers to execute arbitrary code via uploading a crafted Zip file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP RCE File Upload Emlog
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-50688 CRITICAL Act Now

SunGrow iSolarCloud Android application V2.1.6.20241017 and prior contains hardcoded credentials. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Authentication Bypass Isolarcloud Android
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-25462 MEDIUM POC This Month

A SQL Injection vulnerability was found in /admin/add-propertytype.php in PHPGurukul Land Record System Project in PHP v1.0 allows remote attackers to execute arbitrary code via the propertytype POST. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Land Record System
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-10563 MEDIUM POC This Month

The WooCommerce Cart Count Shortcode WordPress plugin before 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Woo Cart Count Shortcode
NVD WPScan
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-25800 MEDIUM POC This Month

SeaCMS 13.3 was discovered to contain an arbitrary file read vulnerability in the file_get_contents function at admin_safe_file.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Seacms
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2024-47051 CRITICAL PATCH Act Now

This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP RCE Path Traversal Mautic
NVD GitHub
CVSS 3.1
9.1
EPSS
0.7%
CVE-2024-50693 CRITICAL Act Now

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the userService API model. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Isolarcloud
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2024-50689 CRITICAL Act Now

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the orgService API model. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Isolarcloud
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2024-50687 CRITICAL Act Now

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Isolarcloud
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2024-50686 CRITICAL Act Now

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the commonService API model. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Isolarcloud
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2024-50685 CRITICAL Act Now

SunGrow iSolarCloud before the October 31, 2024 remediation, is vulnerable to insecure direct object references (IDOR) via the powerStationService API model. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Isolarcloud
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-25785 CRITICAL Act Now

JizhiCMS v2.5.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component \c\PluginsController.php. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF PHP Jizhicms
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-25813 MEDIUM POC This Month

SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component admin_files.php. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP RCE Seacms
NVD GitHub
CVSS 3.1
5.1
EPSS
0.1%
CVE-2025-25802 MEDIUM POC This Month

SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component admin_ip.php. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP RCE Seacms
NVD GitHub
CVSS 3.1
5.1
EPSS
0.1%
CVE-2025-25797 MEDIUM POC This Month

SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component admin_smtp.php. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP RCE Seacms
NVD GitHub
CVSS 3.1
5.1
EPSS
0.1%
CVE-2025-25796 MEDIUM POC This Month

SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component admin_template.php. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP RCE Seacms
NVD GitHub
CVSS 3.1
5.1
EPSS
0.1%
CVE-2025-25794 MEDIUM POC This Month

SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component admin_ping.php. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP RCE Seacms
NVD GitHub
CVSS 3.1
5.1
EPSS
0.1%
CVE-2025-25793 MEDIUM POC This Month

SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component admin_notify.php. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP RCE Seacms
NVD GitHub
CVSS 3.1
5.1
EPSS
0.1%
CVE-2024-46226 MEDIUM POC This Month

A stored cross site scripting (XSS) vulnerability in HelpDeskZ < v2.0.2 allows remote attackers to execute arbitrary JavaScript in the administration panel by including a malicious payload into the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Helpdeskz
NVD Exploit-DB
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-25792 MEDIUM POC This Month

SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the isopen parameter at admin_weixin.php. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP RCE Seacms
NVD GitHub
CVSS 3.1
4.4
EPSS
0.1%
CVE-2025-22881 HIGH This Week

Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow Cncsoft G2
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-25791 MEDIUM POC This Month

An arbitrary file upload vulnerability in the plugin installation feature of YZNCMS v2.0.1 allows attackers to execute arbitrary code via uploading a crafted Zip file. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE File Upload Yzncms
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2022-49287 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: tpm: fix reference counting for struct tpm_chip The following sequence of operations results in a refcount warning: 1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Linux Information Disclosure Linux Kernel +2
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2022-49078 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: lz4: fix LZ4_decompress_safe_partial read out of bound When partialDecoding, it is EOF if we've either filled the output buffer or. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Linux Information Disclosure Google +3
NVD
CVSS 3.1
7.8
EPSS
0.1%
Page 1 of 16 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy