Skip to main content
CVE-2025-25614 HIGH POC This Week

Incorrect Access Control in Unifiedtransform 2.0 leads to Privilege Escalation, which allows teachers to update the personal data of fellow teachers. [CVSS 8.8 HIGH]

Privilege Escalation
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2024-11638 HIGH POC This Week

The Gtbabel WordPress plugin before version 6.6.9 fails to validate that analyzed URLs belong to the legitimate website, allowing attackers to trick users into visiting malicious links that steal their login cookies. This affects any WordPress site running the vulnerable plugin version. An attacker could craft a specially designed URL that, when clicked by an admin or logged-in user, exposes their session cookies, potentially giving the attacker full account access.

WordPress
NVD WPScan
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-25907 HIGH POC This Week

tianti v2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /user/ajax/save. This vulnerability allows attackers to execute arbitrary operations via a crafted GET or POST request. [CVSS 8.8 HIGH]

CSRF RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-22603 HIGH POC PATCH This Week

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Versions prior to autogpt-platform-beta-v0.4.2 contains a server-side request forgery (SSRF) vulnerability inside component (or block) `Send Web Request`. [CVSS 8.1 HIGH]

SSRF
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2024-13918 HIGH POC PATCH This Week

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page. [CVSS 8.0 HIGH]

XSS
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2024-13919 HIGH POC PATCH This Week

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page. [CVSS 8.0 HIGH]

XSS
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-27910 HIGH POC This Week

tianti v2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /user/ajax/upd/status. This vulnerability allows attackers to execute arbitrary operations via a crafted GET or POST request. [CVSS 8.0 HIGH]

CSRF RCE
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-2136 HIGH PATCH This Week

Use after free in Inspector in Google Chrome versions up to 134.0.6998.88 is affected by use after free (CVSS 8.8).

Chrome Suse Google
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-2135 HIGH PATCH This Week

Type Confusion in V8 in Google Chrome versions up to 134.0.6998.88 is affected by access of resource using incompatible type (type confusion) (CVSS 8.8).

Chrome Suse Google
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-1920 HIGH PATCH This Week

Type Confusion in V8 in Google Chrome versions up to 134.0.6998.88 is affected by access of resource using incompatible type (type confusion) (CVSS 8.8).

Chrome Suse Google
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-2137 HIGH PATCH This Week

Out of bounds read in V8 in Google Chrome versions up to 134.0.6998.88 is affected by out-of-bounds read (CVSS 8.8).

Chrome Suse Google
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-41724 HIGH This Week

in the Gallagher Command Centre SALTO integration allowed an attacker to spoof the SALTO server. This issue affects all versions of Gallagher Command Centre versions up to 9.20.1043. is affected by improper certificate validation (CVSS 8.7).

Authentication Bypass
NVD
CVSS 3.1
8.7
EPSS
0.1%
CVE-2025-27925 HIGH This Week

Nintex Automation 5.6 and 5.7 versions up to 5.8 is affected by deserialization of untrusted data (CVSS 8.5).

Deserialization
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-27616 HIGH PATCH This Week

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the e...

Linux RCE Suse
NVD GitHub
CVSS 3.1
8.5
EPSS
0.1%
CVE-2024-56191 HIGH This Week

In dhd_process_full_gscan_result of dhd_pno.c, there is a possible EoP due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Integer Overflow
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-27256 HIGH This Week

GE Vernova Enervista UR Setup application is affected by missing authentication for critical function (CVSS 8.3).

Authentication Bypass
NVD
CVSS 3.1
8.3
EPSS
0.1%
CVE-2025-27615 HIGH This Week

umatiGateway is software for connecting OPC Unified Architecture servers with an MQTT broker utilizing JSON messages. The user interface may possibly be publicly accessible with umatiGateway's provided docker-compose file. [CVSS 8.2 HIGH]

Docker
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
CVE-2025-27254 HIGH This Week

CWE-282 "Improper Ownership Management" in GE Vernova EnerVista UR Setup allows Authentication Bypass. The software's startup authentication can be disabled by altering a Windows registry setting that any user can modify. [CVSS 8.0 HIGH]

Windows Authentication Bypass
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-27255 HIGH This Week

Use of Hard-coded Credentials vulnerability in GE Vernova EnerVista UR Setup allows Privilege Escalation. The local user database is encrypted using an hardcoded password retrievable by an attacker analyzing the application code. [CVSS 8.0 HIGH]

Privilege Escalation
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2022-43454 HIGH This Week

A double free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.1, watchOS 9.2, iOS 16.2 and iPadOS 16.2, tvOS 16.2. [CVSS 7.8 HIGH]

Linux Denial Of Service macOS iOS Apple
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-56192 HIGH This Week

In wl_notify_gscan_event of wl_cfgscan.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.8 HIGH]

Buffer Overflow Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-27610 HIGH PATCH This Week

Rack provides an interface for developing web applications in Ruby. versions up to 2.2.13 contains a security vulnerability (CVSS 7.5).

Path Traversal Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-26933 HIGH This Week

Local File Inclusion in WC Place Order Without Payment (WordPress plugin) versions up to 2.6.7 enables remote attackers to read arbitrary files from the web server through improper filename control in PHP include/require statements. While CVSS rates this 7.5 (High), EPSS exploitation probability is low (0.24%, 46th percentile), and no active exploitation is confirmed (not in CISA KEV). Patchstack vulnerability database confirms the flaw, but no public exploit code is identified at time of analysis. Real-world risk is moderate: exploitation requires high attack complexity and user interaction, limiting mass exploitation scenarios despite network accessibility.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-54546 HIGH This Week

The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15. [CVSS 7.5 HIGH]

Linux macOS Apple
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-44227 HIGH This Week

The issue was addressed with improved memory handling. This issue is fixed in iOS 18 and iPadOS 18, macOS Sequoia 15. [CVSS 7.5 HIGH]

Linux Denial Of Service Apple macOS iOS
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-25382 HIGH This Week

The Property Tax Payment Portal in Kerala's SANCHAYA system (version 3.0.4) has a flaw that lets attackers change payment amounts in fake requests, potentially paying less tax than owed. This affects anyone using this government portal to pay property taxes in Kerala, India. An attacker could exploit this to reduce their tax payments or cause financial loss to the government by manipulating transaction amounts.

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-27913 HIGH This Week

Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send email messages with a domain name taken from an attacker-controlled HTTP Host header. [CVSS 7.5 HIGH]

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-43107 HIGH This Week

Improper Certificate Validation (CWE-295) in the Gallagher Milestone Integration Plugin (MIP) permits unauthenticated messages (e.g. alarm events) to be sent to the Plugin. [CVSS 7.2 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-26910 HIGH This Week

Stored Cross-Site Scripting in WPBookit WordPress plugin through version 1.0.1 can be achieved via CSRF attack vector. Attackers trick authenticated administrators into executing malicious requests that inject persistent JavaScript into the booking management interface, potentially leading to session hijacking, privilege escalation, or further site compromise. EPSS score of 0.05% (14th percentile) indicates low probability of mass exploitation, though the CVSS:3.1 score of 7.1 reflects the Changed Scope and combined impact of both CSRF and XSS vulnerabilities affecting confidentiality, integrity, and availability.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-26696 HIGH PATCH This Week

Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability affects Thunderbird < 136 and Thunderbird < 128.8. [CVSS 7.0 HIGH]

Mozilla Authentication Bypass
NVD VulDB
CVSS 3.1
7.0
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy