Skip to main content
CVE-2025-29384 CRITICAL POC THREAT Emergency

In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.6%.

Memory Corruption Tenda Buffer Overflow RCE Ac9 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
14.6%
CVE-2025-29386 CRITICAL POC Act Now

In Tenda AC9 v1.0 V15.03.05.14_multi, the mac parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Tenda Buffer Overflow RCE Ac9 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2025-29385 CRITICAL POC Act Now

In Tenda AC9 v1.0 V15.03.05.14_multi, the cloneType parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Tenda Buffer Overflow RCE Ac9 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2025-29031 CRITICAL POC Act Now

Tenda AC6 v15.03.05.16 was discovered to contain a buffer overflow via the fromAddressNat function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Tenda Buffer Overflow Ac6 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-29030 CRITICAL POC Act Now

Tenda AC6 v15.03.05.16 was discovered to contain a buffer overflow via the formWifiWpsOOB function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Tenda Buffer Overflow Ac6 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-29029 CRITICAL POC Act Now

Tenda AC6 v15.03.05.16 was discovered to contain a buffer overflow via the formSetSpeedWan function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Tenda Buffer Overflow Ac6 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-26163 CRITICAL POC Act Now

CM Soluces Informatica Ltda Auto Atendimento 1.x.x was discovered to contain a SQL injection via the CPF parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Auto Atendimento
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-13824 CRITICAL Act Now

The CiyaShop - Multipurpose WooCommerce Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.19.0 via deserialization of untrusted input in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization Ciyashop
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2025-2232 CRITICAL Act Now

The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation Realteo PHP
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-11286 CRITICAL Act Now

The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Jobcareer
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-11285 CRITICAL Act Now

The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation Jobcareer
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-11284 CRITICAL Act Now

The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation Jobcareer
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-27595 CRITICAL Act Now

The device uses a weak hashing alghorithm to create the password hash. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-13771 CRITICAL Act Now

The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-2000 CRITICAL PATCH Act Now

A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Privilege Escalation Deserialization Qiskit
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-2304 CRITICAL PATCH Act Now

A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
NVD GitHub
CVSS 4.0
9.4
EPSS
0.2%
CVE-2025-29774 CRITICAL PATCH Act Now

xml-crypto is an XML digital signature and encryption library for Node.js. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Authentication Bypass Node.js Red Hat
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-29775 CRITICAL PATCH Act Now

xml-crypto is an XML digital signature and encryption library for Node.js. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Authentication Bypass Node.js Red Hat
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-27593 CRITICAL Act Now

The product can be used to distribute malicious code using SDD Device Drivers due to missing download verification checks, leading to code execution on target systems. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE
NVD
CVSS 3.1
9.3
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy