Skip to main content
CVE-2025-30406 CRITICAL POC KEV PATCH THREAT Act Now

Gladinet CentreStack contains a deserialization vulnerability caused by a hardcoded machineKey in the portal, allowing unauthenticated remote code execution through crafted ViewState payloads.

RCE Deserialization Centrestack
NVD
CVSS 3.1
9.0
EPSS
83.4%
Threat
7.3
CVE-2025-31161 CRITICAL POC KEV THREAT CERT-EU Emergency

CrushFTP 10 and 11 contain an authentication bypass allowing takeover of the crushadmin account through a race condition in the AWS4-HMAC authorization method, massively exploited in March-April 2025.

Authentication Bypass Crushftp
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
86.2%
Threat
7.5
CVE-2025-22457 CRITICAL POC KEV EUVD KEV THREAT CERT-EU Emergency

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated remote code execution, the third major Ivanti VPN zero-day within fifteen months, exploited by UNC5221.

Ivanti Buffer Overflow RCE Stack Overflow Connect Secure +2
NVD
CVSS 3.1
9.0
EPSS
53.7%
Threat
6.4
CVE-2025-2945 CRITICAL POC PATCH THREAT Act Now

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoints. The query_commited and high_availability parameters are passed directly to Python's eval() function, allowing authenticated users to execute arbitrary Python code on the pgAdmin server.

RCE Code Injection Python Pgadmin 4 Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
77.9%
Threat
5.8
CVE-2025-29647 CRITICAL POC Act Now

SeaCMS v13.3 has a SQL injection vulnerability in the component admin_tempvideo.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Seacms
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-29369 CRITICAL POC Act Now

Code-Projects Matrimonial Site V1.0 is vulnerable to SQL Injection in /view_profile.php?id=1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Matrimonial Site
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-22611 CRITICAL POC Act Now

OpenEMR 7.0.2 is vulnerable to SQL Injection via \openemr\library\classes\Pharmacy.class.php, \controllers\C_Pharmacy.class.php and \openemr\controller.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Openemr
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-26817 CRITICAL Act Now

Netwrix Password Secure 9.2.0.32454 allows OS command injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Password Secure
NVD
CVSS 3.1
9.8
EPSS
2.7%
CVE-2025-26818 CRITICAL Act Now

Netwrix Password Secure through 9.2 allows command injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Command Injection Code Injection Password Secure
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2025-29064 CRITICAL Act Now

An issue in TOTOLINK x18 v.9.1.0cu.2024_B20220329 allows a remote attacker to execute arbitrary code via the sub_410E54 function of the cstecgi.cgi. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection X18 Firmware TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2025-22926 CRITICAL Act Now

An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Path Traversal Opensis
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2025-22930 CRITICAL Act Now

OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the groupid parameter at /messaging/Group.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Opensis
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-22929 CRITICAL Act Now

OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the filter_id parameter at /students/StudentFilters.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Opensis
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-22928 CRITICAL Act Now

OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the cp_id parameter at /modules/messages/Inbox.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Opensis
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-31911 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Social Share And Social Locker allows Blind SQL Injection.4.2. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-2946 CRITICAL PATCH Act Now

pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Pgadmin 4 Suse
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-29462 CRITICAL POC Act Now

A buffer overflow vulnerability has been discovered in Tenda Ac15 V15.13.07.13. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Buffer Overflow Ac15 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-22927 CRITICAL This Week

An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Path Traversal Opensis
NVD GitHub
CVSS 3.1
9.1
EPSS
1.7%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy