Skip to main content
CVE-2025-2294 CRITICAL POC THREAT Emergency

The Kubio AI Page Builder WordPress plugin through version 2.5.1 contains an unauthenticated Local File Inclusion via the kubio_hybrid_theme_load_template function. Attackers can include and execute arbitrary PHP files on the server, achieving remote code execution through techniques like PHP filter chains or log poisoning.

Information Disclosure PHP RCE WordPress Path Traversal
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
56.9%
Threat
5.2
CVE-2025-25579 CRITICAL POC THREAT Emergency

TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Command Injection in /bin/boa via bandstr. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 19.4%.

Command Injection A3002r Firmware TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
19.4%
CVE-2024-24292 CRITICAL POC Act Now

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function in the aim.js component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution RCE Software Development Kit
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2024-38988 CRITICAL POC PATCH Act Now

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution RCE Denial Of Service Unflatto
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-28087 CRITICAL POC Act Now

Sourcecodester Online Exam System 1.0 is vulnerable to SQL Injection via dash.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Exam System
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-28091 CRITICAL POC Act Now

maccms10 v2025.1000.4047 has a Server-Side Request Forgery (SSRF) vulnerability via Add Article. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Maccms
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-28090 CRITICAL POC Act Now

maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) in the Collection Custom Interface feature. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Maccms
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-30372 HIGH POC This Week

Emlog is an open source website building system. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Emlog
NVD GitHub
CVSS 4.0
7.7
EPSS
0.3%
CVE-2024-48615 HIGH POC PATCH This Week

Null Pointer Dereference vulnerability in libarchive 3.7.6 and earlier when running program bsdtar in function header_pax_extension at rchive_read_support_format_tar.c:1844:8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Libarchive Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-57083 HIGH POC PATCH This Week

A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Denial Of Service Redoc Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-24383 CRITICAL Act Now

Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 11.8% and no vendor patch available.

Command Injection Dell Unity Operating Environment
NVD
CVSS 3.1
9.1
EPSS
11.8%
CVE-2025-2919 HIGH POC This Week

A vulnerability was found in Netis WF-2404 1.1.124EN. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Netis Wf 2404 Firmware
NVD VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2025-2927 MEDIUM POC This Month

A vulnerability was found in ESAFENET CDG 5.6.3.154.205. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Cdg
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-31163 MEDIUM POC PATCH This Month

Segmentation fault in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via put_patternarc function. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Fig2Dev Suse
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-31162 MEDIUM POC PATCH This Month

Floating point exception in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via get_slope function. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Fig2Dev Suse
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-31164 MEDIUM POC PATCH This Month

heap-buffer overflow in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via create_line_with_spline. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Heap Overflow Fig2Dev Suse
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-28094 MEDIUM POC This Month

shopxo v6.4.0 has a ssrf/xss vulnerability in multiple places. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XSS Shopxo
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-28093 MEDIUM POC This Month

ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) in Email Settings. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Shopxo
NVD
CVSS 3.1
6.3
EPSS
0.3%
CVE-2025-28092 MEDIUM POC This Month

ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) via image upload function. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Shopxo
NVD
CVSS 3.1
6.3
EPSS
0.3%
CVE-2024-56975 CRITICAL PATCH Act Now

InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerability in the upload_file method of the Upload controller. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE File Upload Invoiceplane
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2025-28219 CRITICAL Act Now

Netgear DC112A V1.0.0.64 has an OS command injection vulnerability in the usb_adv.cgi, which allows remote attackers to execute arbitrary commands via parameter "deviceName" passed to the binary. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Netgear Command Injection Dc112A Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2025-22398 CRITICAL Act Now

Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Dell Unity Operating Environment
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2025-22953 CRITICAL Act Now

A SQL injection vulnerability exists in Epicor HCM 2021 1.9, with patches available: 5.16.0.1033/HCM2022, 5.17.0.1146/HCM2023, and 5.18.0.573/HCM2024. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SQLi Human Capital Management
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2025-22526 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in NotFound PHP/MySQL CPU performance statistics allows Object Injection.2.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-28097 MEDIUM POC This Month

OneNav 1.1.0 is vulnerable to Cross Site Scripting (XSS) in custom headers. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Onenav
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-28096 MEDIUM POC This Month

OneNav 1.1.0 is vulnerable to Server-Side Request Forgery (SSRF) in custom headers. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Onenav
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-2921 MEDIUM POC This Month

A vulnerability classified as critical has been found in Netis WF-2404 1.1.124EN. Rated medium severity (CVSS 5.4), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Netis Wf 2404 Firmware
NVD VulDB
CVSS 4.0
5.4
EPSS
0.1%
CVE-2025-2917 MEDIUM POC This Month

A vulnerability, which was classified as problematic, was found in ChestnutCMS up to 1.5.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Chestnutcms
NVD VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2025-2328 HIGH PATCH This Week

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

PHP File Upload RCE WordPress Path Traversal +1
NVD
CVSS 3.1
8.8
EPSS
2.9%
CVE-2025-22523 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Schedule allows Blind SQL Injection.0.0. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2024-12619 MEDIUM POC This Month

An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to. Rated medium severity (CVSS 5.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Gitlab Authentication Bypass
NVD
CVSS 3.1
5.2
EPSS
0.1%
CVE-2025-27718 HIGH This Week

Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file upload process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal File Upload
NVD
CVSS 3.0
8.8
EPSS
0.9%
CVE-2025-24381 HIGH This Week

Dell Unity, version(s) 5.4 and prior, contain(s) an URL Redirection to Untrusted Site ('Open Redirect') vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Dell Unity Operating Environment
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-2815 HIGH This Week

The Administrator Z plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the adminz_import_backup(). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2024-11504 HIGH This Week

Input from multiple fields in Streamsoft Prestiż is not sanitized properly, leading to an SQL injection vulnerability, which might be exploited by an authenticated remote attacker. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 4.0
8.6
EPSS
0.4%
CVE-2024-54291 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound PluginPass allows Manipulating Web Input to File System Calls.9.10. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD
CVSS 3.1
8.6
EPSS
0.4%
CVE-2025-31466 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Falcon Solutions Duplicate Page and Post allows Blind SQL Injection.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2025-2858 HIGH This Week

Privilege escalation vulnerability in the saTECH BCU firmware version 2.1.3. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Satech Bcu Firmware
NVD
CVSS 4.0
8.5
EPSS
0.2%
CVE-2025-2908 HIGH This Week

The exposure of credentials in the call forwarding configuration module in MeetMe products in versions prior to 2024-09 allows an attacker to gain access to some important assets via configuration. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-1762 MEDIUM POC This Month

The Event Tickets with Ticket Scanner WordPress plugin before 2.5.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Event Tickets With Ticket Scanner PHP
NVD WPScan
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-7407 HIGH This Week

Use of a custom password encoding algorithm in Streamsoft Prestiż software allows straightforward decoding of passwords using their encoded forms, which are stored in the application's database. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
8.2
EPSS
0.3%
CVE-2025-27932 HIGH This Week

Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file deletion process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Denial Of Service
NVD
CVSS 3.0
8.1
EPSS
0.6%
CVE-2025-2485 HIGH PATCH This Week

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Information Disclosure PHP Deserialization File Upload WordPress +1
NVD
CVSS 3.1
7.5
EPSS
3.6%
CVE-2024-54362 HIGH This Week

Path Traversal vulnerability in NotFound GetShop ecommerce allows Path Traversal.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2024-49601 HIGH This Week

Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Dell Unity Operating Environment
NVD
CVSS 3.1
7.3
EPSS
4.3%
CVE-2025-30232 HIGH PATCH This Week

A use-after-free in Exim 4.96 through 4.98.1 could allow users (with command-line access) to escalate privileges. Rated high severity (CVSS 8.1), this vulnerability is no authentication required. No vendor patch available.

Use After Free Memory Corruption Privilege Escalation Exim Suse
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-29928 HIGH PATCH This Week

authentik is an open-source identity provider. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Session Fixation Authentik
NVD GitHub
CVSS 3.1
8.0
EPSS
0.2%
CVE-2025-24382 HIGH This Week

Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Dell Unity Operating Environment
NVD
CVSS 3.1
7.3
EPSS
3.0%
CVE-2025-24380 HIGH This Week

Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Dell Unity Operating Environment
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-24379 HIGH This Week

Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Dell Unity Operating Environment
NVD
CVSS 3.1
7.8
EPSS
0.1%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy