Skip to main content
CVE-2025-24813 CRITICAL POC KEV PATCH THREAT CERT-EU Act Now

A critical path equivalence vulnerability in Apache Tomcat's Default Servlet allows unauthenticated remote code execution through specially crafted PUT requests using internal dot notation in filenames. With EPSS of 94% and active exploitation in the wild, this represents one of the most dangerous Tomcat vulnerabilities in recent years, affecting versions 9.0.0-9.0.98, 10.1.0-10.1.34, and 11.0.0-11.0.2.

Apache RCE Information Disclosure Red Hat Suse
NVD GitHub HeroDevs Exploit-DB
CVSS 3.1
9.8
EPSS
94.2%
Threat
7.8
CVE-2025-25940 CRITICAL POC Act Now

VisiCut 2.1 allows remote code execution through insecure XML deserialization in the loadPlfFile method. An attacker who can supply a crafted PLF file can execute arbitrary Java code on the victim's machine. A public PoC exploit exists and no patch is available.

Java
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2025-25977 CRITICAL POC PATCH Act Now

canvg 4.0.2 is vulnerable to arbitrary code execution through prototype pollution in the StyleElement class constructor. An attacker can exploit this to execute code in environments that process SVG content with canvg. A PoC exists with no patch available.

RCE Code Injection Red Hat
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-1945 CRITICAL POC PATCH Act Now

PickleScan before 0.0.23 can be bypassed by flipping specific ZIP file header flag bits, allowing malicious pickle files to evade detection inside PyTorch model archives. An attacker can embed arbitrary code execution payloads that PickleScan misses but PyTorch's torch.load() still processes. A proof-of-concept exists and a patch is available in version 0.0.23.

Authentication Bypass Deserialization RCE Pytorch AI / ML
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-1497 CRITICAL PATCH Act Now

PlotAI is vulnerable to remote code execution because it executes LLM-generated Python code without validation. The vendor has acknowledged the flaw by commenting out the vulnerable line but does not plan to release a formal patch, leaving users who re-enable the feature at risk.

Python RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2025-26936 CRITICAL Act Now

Fresh Framework for WordPress (through 1.70.0) contains a code injection vulnerability that allows unauthenticated attackers to execute arbitrary code with scope change, achieving maximum impact on confidentiality, integrity, and availability.

Code Injection RCE
NVD
CVSS 3.1
10.0
EPSS
0.2%
CVE-2025-25306 CRITICAL PATCH Act Now

Misskey, a federated social media platform, has an incomplete fix for CVE-2024-52591 that allows ActivityPub object forgery. An attacker can claim authority in the URL field even when the protocol requires authority in the ID field, enabling spoofing of federated content. Fixed in 2025.2.1.

RCE
NVD GitHub
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-26916 CRITICAL Act Now

The Massive Dynamic WordPress theme (through 8.2) by EPC is vulnerable to PHP Remote File Inclusion via an improperly controlled include/require statement. Although the attack complexity is high, successful exploitation allows unauthenticated remote code execution with scope change.

PHP LFI Information Disclosure
NVD
CVSS 3.1
9.0
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy