Skip to main content
CVE-2025-27590 CRITICAL PATCH Act Now

In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID migration page allows an unauthenticated user to gain control over the Linux user account that is running oxidized-web. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Oxidized Web
NVD GitHub
CVSS 3.1
9.0
EPSS
1.4%
CVE-2025-27583 CRITICAL Act Now

Incorrect access control in the component /rest/staffResource/findAllUsersAcrossOrg of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Academia Student Information System
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2024-53384 MEDIUM POC This Month

A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Tsup
NVD GitHub
CVSS 3.1
5.1
EPSS
0.1%
CVE-2023-49031 MEDIUM POC This Month

Directory Traversal (Local File Inclusion) vulnerability in Tikit (now Advanced) eMarketing platform 6.8.3.0 allows a remote attacker to read arbitrary files and obtain sensitive information via a. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

LFI PHP Path Traversal Tikit Emarketing
NVD GitHub
CVSS 3.1
5.1
EPSS
0.0%
CVE-2024-53386 MEDIUM POC This Month

Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

RCE Code Injection XSS Stage Js
NVD GitHub
CVSS 3.1
4.9
EPSS
0.1%
CVE-2024-53382 MEDIUM POC PATCH This Month

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

RCE Code Injection XSS Prism Red Hat
NVD GitHub
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-1851 HIGH This Week

A vulnerability, which was classified as critical, was found in Tenda AC7 up to 15.03.06.44. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tenda Buffer Overflow Ac7 Firmware
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.8%
CVE-2025-25967 HIGH This Week

Acora CMS version 10.1.1 is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Acora Cms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-27099 MEDIUM POC PATCH This Month

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Tuleap
NVD GitHub
CVSS 3.1
4.8
EPSS
0.2%
CVE-2025-26999 HIGH This Week

PHP object injection in ProfileGrid WordPress plugin versions up to 5.9.4.3 allows authenticated attackers to execute arbitrary code through unsafe deserialization of user-controlled data. With CVSS 8.8 severity and only low-privilege authentication required, this CWE-502 vulnerability enables full site compromise. EPSS exploitation probability is low (0.23%, 45th percentile) and no active exploitation or public POC is confirmed, though Patchstack has documented the vulnerability in their WordPress plugin security database.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-26967 HIGH This Week

PHP object injection in Events Calendar for GeoDirectory plugin versions through 2.3.14 enables authenticated attackers with low-privilege access to execute arbitrary PHP code by injecting malicious serialized objects. The CVSS 8.8 score reflects network-based exploitation requiring only low-level authentication, with no user interaction needed. EPSS score of 0.23% (45th percentile) indicates low observed exploitation probability, and no CISA KEV listing confirms this is not yet actively exploited in the wild. Patchstack database reports this as a confirmed deserialization vulnerability (CWE-502) in the WordPress plugin ecosystem.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-1852 HIGH This Week

A vulnerability has been found in Totolink EX1800T 9.1.0cu.2112_B20220316 and classified as critical. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Ex1800T Firmware TOTOLINK
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.7%
CVE-2024-43169 HIGH This Week

IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a user to download a malicious file without verifying the integrity of the code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure IBM Engineering Requirements Management Doors Next
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-0475 HIGH This Week

An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab XSS
NVD
CVSS 3.1
8.7
EPSS
0.3%
CVE-2024-51962 HIGH This Week

A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Arcgis Server
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2025-26534 HIGH This Week

Arbitrary file deletion in Helloprint WordPress plugin versions up to 2.0.7 allows remote unauthenticated attackers to delete critical files via path traversal, causing denial of service. CVSS 8.6 with Changed scope indicates impact beyond the vulnerable component. EPSS score of 0.19% (41st percentile) suggests low current exploitation probability. Reported by Patchstack audit team with technical details available in their vulnerability database.

Path Traversal
NVD
CVSS 3.1
8.6
EPSS
0.2%
CVE-2025-27501 HIGH This Week

OpenZiti is a free and open source project focused on bringing zero trust to any application. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Openziti
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-27263 HIGH This Week

SQL injection in Doctor Appointment Booking WordPress plugin versions up to 1.0.0 allows authenticated attackers with low-level privileges to extract sensitive database information and potentially cause availability disruption. The vulnerability enables scope change, meaning attackers can access resources beyond their authorized privilege level to read high-sensitivity data. With EPSS probability at 0.12% (31st percentile) and no evidence of active exploitation or public exploit code, this represents a moderate real-world risk primarily for sites where low-privileged user accounts (subscriber/contributor roles) exist.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2024-51954 HIGH This Week

There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Authentication Bypass Arcgis Server Windows
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-0286 HIGH This Week

Various Paragon Software products contain an arbitrary kernel memory write vulnerability within biontdrv.sys that is caused by a failure to properly validate the length of user supplied data, which. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Paragon Backup Recovery Paragon Disk Wiper Paragon Drive Copy Paragon Hard Disk Manager +2
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-27500 HIGH This Week

OpenZiti is a free and open source project focused on bringing zero trust to any application. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Openziti
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-25109 HIGH This Week

Local file inclusion in WP Vehicle Manager 3.1 and earlier allows remote unauthenticated attackers to read arbitrary files on the server or potentially execute code via PHP file inclusion. Classified as CWE-98 (PHP Remote File Inclusion) but exploits local file paths. EPSS score of 0.30% (53rd percentile) indicates below-average exploitation probability, with no CISA KEV listing or confirmed active exploitation. Patchstack vulnerability database confirms the issue affects arbitrary shortcode execution paths, suggesting exploitation requires specific WordPress shortcode processing contexts.

Information Disclosure LFI PHP
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-25122 HIGH This Week

Path traversal in WizShop plugin versions through 3.0.2 enables remote attackers to include arbitrary PHP files from the local filesystem, potentially achieving remote code execution. Despite the high CVSS score (8.1), this vulnerability shows low real-world exploitation probability with EPSS at 0.22% (45th percentile). The attack complexity is rated HIGH (AC:H), requiring specific conditions to successfully exploit. No active exploitation confirmed; not listed in CISA KEV, and no public proof-of-concept identified at time of analysis.

PHP Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-1723 HIGH This Week

Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Manageengine Adselfservice Plus
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-25950 HIGH This Week

Incorrect access control in the component /rest/staffResource/update of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows create and modify user accounts,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Academia Student Information System
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-1801 HIGH PATCH This Week

A flaw was found in the Ansible aap-gateway. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Race Condition Red Hat
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2024-53011 HIGH This Week

Information disclosure may occur due to improper permission and access controls to Video Analytics engine. Rated high severity (CVSS 7.9), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Privilege Escalation Snapdragon 8 Gen 1 Mobile Platform Firmware Snapdragon 8 Gen 2 Mobile Platform Firmware Snapdragon Ar1 Gen 1 Platform Luna1 Firmware +78
NVD
CVSS 3.1
7.9
EPSS
0.0%
CVE-2025-0288 HIGH This Week

Various Paragon Software products contain an arbitrary kernel memory vulnerability within biontdrv.sys, facilitated by the memmove function, which does not validate or sanitize user controlled input,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Paragon Backup Recovery Paragon Disk Wiper Paragon Drive Copy Paragon Hard Disk Manager +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-0678 HIGH PATCH This Week

A flaw was found in grub2. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Integer Overflow Buffer Overflow RCE Grub2 Openshift Container Platform +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-45782 HIGH PATCH This Week

A flaw was found in the HFS filesystem. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Memory Corruption Buffer Overflow Grub2 Openshift Container Platform +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-0289 HIGH This Week

Various Paragon Software products contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer before passing it to. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Paragon Backup Recovery Paragon Disk Wiper Paragon Drive Copy Paragon Hard Disk Manager +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-0285 HIGH This Week

Various Paragon Software products contain an arbitrary kernel memory mapping vulnerability within biontdrv.sys that is caused by a failure to properly validate the length of user supplied data, which. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Paragon Backup Recovery Paragon Disk Wiper Paragon Drive Copy Paragon Hard Disk Manager +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-53034 HIGH This Week

Memory corruption occurs during an Escape call if an invalid Kernel Mode CPU event and sync object handle are passed with the DriverKnownEscape flag reset. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Fastconnect 6900 Firmware Fastconnect 7800 Firmware Sc8380xp Firmware Wcd9380 Firmware +4
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-53033 HIGH This Week

Memory corruption while doing Escape call when user provides valid kernel address in the place of valid user buffer address. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Fastconnect 6900 Firmware Fastconnect 7800 Firmware Sc8380xp Firmware Wcd9380 Firmware +4
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-53031 HIGH This Week

Memory corruption while reading a type value from a buffer controlled by the Guest Virtual Machine. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Qam8255p Firmware Qam8295p Firmware Qam8620p Firmware Qam8650p Firmware +22
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-53030 HIGH This Week

Memory corruption while processing input message passed from FE driver. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Msm8996au Firmware Qam8255p Firmware Qam8295p Firmware Qam8620p Firmware +40
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-53029 HIGH This Week

Memory corruption while reading a value from a buffer controlled by the Guest Virtual Machine. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Qam8255p Firmware Qam8295p Firmware Qam8620p Firmware Qam8650p Firmware +22
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-53024 HIGH PATCH This Week

Memory corruption in display driver while detaching a device. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Buffer Overflow Denial Of Service Qcs6490 Firmware Qcs7230 Firmware +159
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-53023 HIGH PATCH This Week

Memory corruption may occur while accessing a variable during extended back to back tests. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Buffer Overflow Ar8035 Firmware Fastconnect 6900 Firmware +100
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-53022 HIGH This Week

Memory corruption may occur during communication between primary and guest VM. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Qam8255p Firmware Qam8295p Firmware Qam8620p Firmware Qam8650p Firmware +19
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-53014 HIGH PATCH This Week

Memory corruption may occur while validating ports and channels in Audio driver. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Buffer Overflow Sm6370 Firmware Sm6650 Firmware Sm7250p Firmware Sm7315 Firmware +240
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-53012 HIGH This Week

Memory corruption may occur due to improper input validation in clock device. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Qam8255p Firmware Qam8295p Firmware Qam8620p Firmware Qam8650p Firmware +22
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-49836 HIGH PATCH This Week

Memory corruption may occur during the synchronization of the camera`s frame processing pipeline. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Buffer Overflow Fastconnect 6900 Firmware Fastconnect 7800 Firmware Qmp1000 Firmware Sdm429w Firmware +25
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-45580 HIGH PATCH This Week

Memory corruption while handling multuple IOCTL calls from userspace for remote invocation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Buffer Overflow Fastconnect 6900 Firmware Fastconnect 7800 Firmware +35
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-43062 HIGH PATCH This Week

Memory corruption caused by missing locks and checks on the DMA fence and improper synchronization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Buffer Overflow Fastconnect 6900 Firmware Fastconnect 7800 Firmware +12
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-43061 HIGH PATCH This Week

Memory corruption during voice activation, when sound model parameters are loaded from HLOS, and the received sound model list is empty in HLOS drive. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Buffer Overflow Fastconnect 6900 Firmware Fastconnect 7800 Firmware +28
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-43060 HIGH PATCH This Week

Memory corruption during voice activation, when sound model parameters are loaded from HLOS to ADSP. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Memory Corruption Buffer Overflow Ar8035 Firmware Fastconnect 6900 Firmware Fastconnect 7800 Firmware +38
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-43059 HIGH PATCH This Week

Memory corruption while invoking IOCTL calls from the use-space for HGSL memory node. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Buffer Overflow Sa8770p Firmware Sa8775p Firmware +18
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-43057 HIGH PATCH This Week

Memory corruption while processing command in Glink linux. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Buffer Overflow Qcn6224 Firmware Qcn6274 Firmware +149
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-1125 HIGH PATCH This Week

When reading data from a hfs filesystem, grub's hfs filesystem module uses user-controlled parameters from the filesystem metadata to calculate the internal buffers size, however it misses to. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE Grub2
NVD
CVSS 3.1
7.8
EPSS
0.0%
Prev Page 2 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy