Skip to main content
CVE-2025-29306 CRITICAL POC THREAT Emergency

FoxCMS version 1.2.5 contains an unauthenticated remote code execution vulnerability in the case display page of the index.html component. Attackers can inject and execute arbitrary PHP code on the server through crafted requests to the case display functionality.

RCE Code Injection Foxcms
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
84.4%
Threat
6.0
CVE-2025-28138 CRITICAL POC Act Now

The TOTOLINK A800R V4.1.2cu.5137_B20200730 were found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A800R Firmware TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
7.9%
CVE-2025-30364 CRITICAL POC Act Now

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Wegia
NVD GitHub
CVSS 4.0
10.0
EPSS
0.6%
CVE-2025-30367 CRITICAL POC Act Now

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP SQLi Wegia
NVD GitHub
CVSS 4.0
10.0
EPSS
0.3%
CVE-2025-25686 CRITICAL POC Act Now

semcms <=5.0 is vulnerable to SQL Injection in SEMCMS_Fuction.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Semcms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-30365 CRITICAL POC Act Now

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Wegia
NVD GitHub
CVSS 4.0
9.4
EPSS
0.6%
CVE-2025-2332 CRITICAL Act Now

The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2025-2857 CRITICAL PATCH Act Now

Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Google Information Disclosure Mozilla Chrome
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-26909 CRITICAL Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in John Darrel Hide My WP Ghost allows PHP Local File Inclusion.4.01. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-2516 CRITICAL Act Now

The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft Information Disclosure Windows
NVD
CVSS 4.0
9.5
EPSS
0.1%
CVE-2025-26898 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shinetheme Traveler.1.8. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-26873 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Shine theme Traveler.2.1. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.0
EPSS
0.3%
CVE-2025-30361 CRITICAL POC Act Now

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Wegia
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy