Skip to main content
CVE-2025-1661 CRITICAL POC PATCH THREAT Act Now

The HUSKY Products Filter Professional for WooCommerce plugin through version 1.3.6.5 contains a critical Local File Inclusion vulnerability via the template parameter of the woof_text_search AJAX action. Unauthenticated attackers can include and execute arbitrary PHP files, leading to remote code execution on any WordPress site with the plugin.

WordPress PHP RCE
NVD
CVSS 3.1
9.8
EPSS
91.4%
Threat
6.2
CVE-2024-54085 CRITICAL KEV THREAT Emergency

A critical authentication bypass in AMI SPx BMC firmware allows unauthenticated remote attackers to gain full control of server hardware through the Redfish Host Interface. This KEV-listed vulnerability (CVSS 9.8) threatens the entire server fleet of organizations using AMI-based BMC implementations, enabling attackers to persist below the OS layer where traditional security tools cannot detect them.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
8.2%
CVE-2025-24201 CRITICAL KEV PATCH THREAT Act Now

A critical out-of-bounds write in WebKit's rendering engine allows maliciously crafted web content to escape the Web Content sandbox, achieving native code execution on Apple devices. Rated CVSS 10.0 and KEV-listed, CVE-2025-24201 is a supplementary fix for a previously patched vulnerability that was being actively exploited in extremely sophisticated targeted attacks. Affects all Apple platforms: iOS, iPadOS, macOS, Safari, visionOS, and watchOS.

Apple Memory Corruption Buffer Overflow
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-1550 CRITICAL POC PATCH GHSA Act Now

Keras Model.load_model can execute arbitrary code even with safe_mode=True by manipulating the config.json inside a .keras archive. An attacker can specify arbitrary Python modules and functions to be loaded during model deserialization. PoC available, patch available.

Python Red Hat RCE
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
4.8%
CVE-2025-28915 CRITICAL Act Now

ThemeEgg ToolKit plugin for WordPress (through 1.2.9) allows authenticated administrators to upload web shells via unrestricted file upload. The scope change makes this critical despite requiring admin privileges, as it enables OS-level code execution beyond the WordPress application.

File Upload
NVD
CVSS 3.1
9.1
EPSS
22.7%
CVE-2025-26701 CRITICAL Act Now

Percona PMM Server OVA images ship with default service account credentials that grant SSH access and sudo to root, exposing all monitoring data and managed database credentials. The scope change reflects that compromising the monitoring server gives access to all monitored infrastructure.

SSH Privilege Escalation Information Disclosure Authentication Bypass
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2024-56336 CRITICAL Act Now

Siemens SINAMICS S200 drives with specific serial number prefixes contain an unlocked bootloader that allows attackers to inject malicious firmware. This bypasses the device's intrinsic security features, enabling persistent compromise of industrial drive systems.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-27494 CRITICAL Act Now

Siemens SiPass integrated access control systems (AC5102 ACC-G2 and ACC-AP, before V6.4.9) allow authenticated administrators to escalate to root via command injection in the REST API's pubkey endpoint. While high privileges are required, the scope change enables full system compromise.

Code Injection
NVD
CVSS 3.1
9.1
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy