Skip to main content
CVE-2025-2747 CRITICAL POC KEV PATCH THREAT Act Now

Kentico Xperience contains a second authentication bypass in the Staging Sync Server through None-type password handling, allowing administrative control. Companion to CVE-2025-2746.

Authentication Bypass Xperience
NVD GitHub
CVSS 3.1
9.8
EPSS
89.4%
Threat
7.6
CVE-2025-2746 CRITICAL POC KEV PATCH THREAT Act Now

Kentico Xperience through 13.0.172 contains an authentication bypass in the Staging Sync Server through empty SHA1 username handling in digest authentication, allowing administrative object control.

Authentication Bypass Xperience
NVD GitHub
CVSS 3.1
9.8
EPSS
84.3%
Threat
7.5
CVE-2025-30208 MEDIUM POC PATCH THREAT This Month

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 89.0%.

Information Disclosure Vite Red Hat
NVD GitHub Exploit-DB
CVSS 3.1
5.3
EPSS
89.0%
Threat
5.2
CVE-2025-2749 HIGH POC KEV PATCH THREAT Act Now

Remote code execution in Kentico Xperience CMS versions through 13.0.178 allows authenticated administrators to upload arbitrary files to controlled server paths via path traversal in the Staging Sync Server component. Confirmed actively exploited in the wild (CISA KEV). Public exploit available with detailed bypass techniques. EPSS score of 1.23% (79th percentile) suggests targeted exploitation rather than widespread scanning. While CVSS 7.2 requires high-privilege (administrator) authentication, active exploitation status makes this a priority for organizations running Kentico CMS.

RCE Path Traversal File Upload
NVD VulDB
CVSS 3.1
7.2
EPSS
1.2%
Threat
4.5
CVE-2025-29312 CRITICAL POC Act Now

An issue in onos v2.7.0 allows attackers to trigger unexpected behavior within a device connected to a legacy switch via changing the link type from indirect to direct. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Onos
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2023-25610 CRITICAL Act Now

A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.6, version 6.4.0 through 6.4.11 and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 16.0% and no vendor patch available.

RCE Fortinet Fortiweb Fortiswitchmanager Fortiswitch +5
NVD
CVSS 3.1
9.8
EPSS
16.0%
CVE-2025-2680 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Bank Locker Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-2679 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Bank Locker Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-2682 MEDIUM POC This Month

A vulnerability classified as critical has been found in PHPGurukul Bank Locker Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Bank Locker Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-2681 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Bank Locker Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-2678 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Bank Locker Management System 1.0 and classified as critical.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Bank Locker Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-2677 MEDIUM POC This Month

A vulnerability has been found in PHPGurukul Bank Locker Management System 1.0 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Bank Locker Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-2675 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in PHPGurukul Bank Locker Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Bank Locker Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-2674 MEDIUM POC This Month

A vulnerability classified as critical was found in PHPGurukul Bank Locker Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Bank Locker Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-2748 MEDIUM POC PATCH This Month

The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.0.178. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS File Upload Xperience
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-29315 CRITICAL Act Now

An issue in the Shiro-based RBAC (Role-based Access Control) mechanism of OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to execute privileged. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-29778 MEDIUM POC PATCH This Month

Kyverno is a policy engine designed for cloud native platform engineering teams. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available.

Authentication Bypass Kubernetes Kyverno Suse
NVD GitHub
CVSS 3.1
5.8
EPSS
0.1%
CVE-2025-30615 CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in Jacob Schwartz WP e-Commerce Style Email allows Code Injection.6.2. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-2708 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in zhijiantianya ruoyi-vue-pro 2.4.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal File Upload Ruoyi Vue Pro
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.7%
CVE-2025-2689 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Yii
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2025-2687 MEDIUM POC This Month

A vulnerability classified as critical has been found in PHPGurukul eLearning System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass File Upload Elearning System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-2690 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Yii
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-2711 MEDIUM POC This Month

A vulnerability was found in Yonyou UFIDA ERP-NC 5.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ufida Erp Nc
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-2710 MEDIUM POC This Month

A vulnerability was found in Yonyou UFIDA ERP-NC 5.0 and classified as problematic.jsp. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ufida Erp Nc
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-2712 MEDIUM POC This Month

A vulnerability was found in Yonyou UFIDA ERP-NC 5.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ufida Erp Nc
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-2709 MEDIUM POC This Month

A vulnerability has been found in Yonyou UFIDA ERP-NC 5.0 and classified as problematic. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ufida Erp Nc
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-30528 CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in wpshopee Awesome Logos allows SQL Injection.2. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi CSRF
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-2715 MEDIUM POC This Month

A vulnerability classified as problematic has been found in timschofield webERP up to 5.0.0.rc+13. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-2673 MEDIUM POC This Month

A vulnerability classified as problematic has been found in code-projects Payroll Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Payroll Management System
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-2700 MEDIUM POC This Month

A vulnerability classified as problematic has been found in michelson Dante Editor up to 0.4.4. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Dante3
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-30569 HIGH This Week

SQL injection in WP Featured Entries WordPress plugin versions up to 1.0 enables authenticated attackers with low-level privileges to extract sensitive database contents and potentially cause database denial of service through scope change. Reported by Patchstack audit team, this vulnerability has low exploitation probability (EPSS 0.09%, 25th percentile) and no confirmed active exploitation or public POC. The scope-changing nature (S:C) allows attackers to impact resources beyond the vulnerable component, escalating the attack's reach despite requiring initial authentication.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-30590 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dourou Flickr set slideshows allows SQL Injection.9. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2024-8773 HIGH This Week

SIMPLE.ERP client is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
8.3
EPSS
0.1%
CVE-2025-29314 HIGH This Week

Insecure Shiro cookie configurations in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allow attackers to access sensitive information via a man-in-the-middle attack. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-2231 HIGH This Week

PDF-XChange Editor RTF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Buffer Overflow RCE Pdf Tools Pdf Xchange Editor
NVD
CVSS 3.0
7.8
EPSS
0.3%
CVE-2025-0835 HIGH This Week

Software installed and run as a non-privileged user may conduct improper GPU system calls to corrupt kernel heap memory. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Use After Free Memory Corruption Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-0478 HIGH This Week

Software installed and run as a non-privileged user may conduct improper GPU system calls to issue reads and writes to arbitrary physical memory pages. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-8774 HIGH This Week

The SIMPLE.ERP client stores superuser password in a recoverable format, allowing any authenticated SIMPLE.ERP user to escalate privileges to a database administrator. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation
NVD
CVSS 4.0
7.7
EPSS
0.1%
CVE-2025-30205 HIGH This Week

kanidim-provision is a helper utility that uses kanidm's API to provision users, groups and oauth2 systems. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
7.6
EPSS
0.2%
CVE-2025-30525 HIGH This Week

SQL injection in WP Profitshare plugin for WordPress allows authenticated administrators to extract sensitive database contents or disrupt availability. Affects versions up to 1.4.9. The CVSS 7.6 score reflects high confidentiality impact with scope change, indicating potential database-wide access beyond the plugin's normal privileges. EPSS score of 0.21% (44th percentile) suggests low current exploitation probability, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.2%
CVE-2025-30523 HIGH This Week

SQL injection in Super Simple Subscriptions WordPress plugin through version 1.1.0 allows high-privileged administrators to extract database contents and potentially cause service disruption. The vulnerability requires authenticated admin access (PR:H) but enables cross-scope impact (S:C), allowing compromise beyond the plugin's normal boundaries to potentially access WordPress database tables containing user credentials, payment data, or other sensitive information. With EPSS at 0.21% (44th percentile) and no confirmed active exploitation, this represents a moderate insider threat or account compromise scenario rather than an immediate mass-exploitation risk.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.2%
CVE-2025-30604 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jiangqie JiangQie Official Website Mini Program allows Blind SQL Injection.8.2. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-30571 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in STEdb Corp. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-30570 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AliRezaMohammadi دکمه، شبکه اجتماعی خرید allows SQL Injection.0.6. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-29311 HIGH This Week

Limited secret space in LLDP packets used in onos v2.7.0 allows attackers to obtain the private key via a bruteforce attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Onos
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2021-26091 HIGH This Week

A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Fortimail
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-29313 HIGH This Week

Use of incorrectly resolved name or reference in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to cause a Denial of Service (DoS). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-10558 LOW POC Monitor

The Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Form Maker
NVD WPScan
CVSS 3.1
3.5
EPSS
0.1%
CVE-2025-1062 LOW POC Monitor

The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.95.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Slider Gallery And Carousel PHP
NVD WPScan
CVSS 3.1
3.5
EPSS
0.1%
CVE-2025-0255 HIGH This Week

HCL DevOps Deploy / HCL Launch could allow a remote privileged authenticated attacker to execute arbitrary commands on the system by sending specially crafted input containing special elements. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Hcl Devops Deploy Hcl Launch
NVD
CVSS 3.1
7.2
EPSS
0.6%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy