Skip to main content
CVE-2025-3390 MEDIUM POC This Month

A vulnerability, which was classified as problematic, was found in hailey888 oa_system up to 2025.01.01. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Java Oa System
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-3389 MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in hailey888 oa_system up to 2025.01.01.java of the component Backend. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Java Oa System
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-30286 HIGH This Week

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection RCE Coldfusion
NVD
CVSS 3.1
8.4
EPSS
3.4%
CVE-2025-27740 HIGH This Week

Weak authentication in Windows Active Directory Certificate Services allows an authorized attacker to elevate privileges over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Windows Server 2008 Windows Server 2012 Windows Server 2016 +5
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2025-29794 HIGH This Week

Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Authentication Bypass Sharepoint Enterprise Server Sharepoint Server
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2025-26669 HIGH This Week

Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Buffer Overflow Windows 10 1507 Windows 10 1607 +14
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2025-2525 HIGH This Week

The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload PHP
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2025-27481 HIGH This Week

Stack-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Buffer Overflow Stack Overflow Windows 10 1507 Windows 10 1607 +14
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2025-21222 HIGH This Week

Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Buffer Overflow Heap Overflow Windows 10 1507 Windows 10 1607 +14
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2025-21221 HIGH This Week

Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Buffer Overflow Heap Overflow Windows 10 1507 Windows 10 1607 +14
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2025-21205 HIGH This Week

Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Buffer Overflow Heap Overflow Windows 10 1507 Windows 10 1607 +14
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2025-2807 HIGH PATCH This Week

The Motors - Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

RCE WordPress Authentication Bypass Motors Car Dealer Classifieds Listing PHP
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-12556 HIGH PATCH This Week

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Prototype Pollution Path Traversal Elastic File Upload Kibana
NVD
CVSS 3.1
8.7
EPSS
1.1%
CVE-2025-2526 HIGH This Week

The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-32017 HIGH PATCH This Week

Umbraco is a free and open source .NET content management system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Path Traversal Umbraco Cms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-30290 HIGH This Week

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Coldfusion
NVD
CVSS 3.1
8.7
EPSS
0.8%
CVE-2025-20946 HIGH This Week

Improper handling of exceptional conditions in pairing specific bluetooth devices in Galaxy Watch Bluetooth pairing prior to SMR Apr-2025 Release 1 allows local attackers to pair with specific. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wear Os
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-55354 HIGH This Week

Lucee before 5.4.7.3 LTS and 6 before 6.1.1.118, when an attacker can place files on the server, is vulnerable to a protection mechanism failure that can let an attacker run code that would be. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-3064 HIGH This Week

The WPFront User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-27737 HIGH This Week

Improper input validation in Windows Security Zone Mapping allows an unauthorized attacker to bypass a security feature locally. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Authentication Bypass Windows 10 1507 Windows 10 1607 Windows 10 1809 +13
NVD
CVSS 3.1
8.6
EPSS
1.1%
CVE-2025-20936 HIGH This Week

Improper access control in HDCP trustlet prior to SMR Apr-2025 Release 1 allows local attackers with shell privilege to escalate their privileges to root. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Android
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-1095 HIGH This Week

IBM Personal Communications v14 and v15 include a Windows service that is vulnerable to local privilege escalation (LPE). Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Microsoft IBM Privilege Escalation Personal Communications Windows
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-29805 HIGH This Week

Exposure of sensitive information to an unauthorized actor in Outlook for Android allows an unauthorized attacker to disclose information over a network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Google Information Disclosure Outlook Android
NVD
CVSS 3.1
7.5
EPSS
6.4%
CVE-2025-32406 HIGH This Week

An XXE issue in the Director NBR component in NAKIVO Backup & Replication 10.3.x through 11.0.1 before 11.0.2 allows remote attackers fetch and parse the XML response. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD
CVSS 3.1
8.6
EPSS
0.3%
CVE-2025-23186 HIGH This Week

In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

RCE Code Injection SAP
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2025-3289 HIGH This Week

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a stack-based memory buffer overflow. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Rockwell Buffer Overflow RCE Arena
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-3288 HIGH This Week

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Rockwell Buffer Overflow RCE Arena
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-3287 HIGH This Week

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a stack-based memory buffer overflow. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Rockwell Buffer Overflow RCE Arena
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-3286 HIGH This Week

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Rockwell Buffer Overflow RCE Arena
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-3285 HIGH This Week

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Rockwell Buffer Overflow RCE Arena
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-2829 HIGH This Week

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to write outside of the allocated memory buffer. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Rockwell Buffer Overflow RCE Arena
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-2293 HIGH This Week

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to write outside of the allocated memory buffer. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Rockwell Buffer Overflow RCE Arena
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-2288 HIGH This Week

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to write outside of the allocated memory buffer. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Rockwell Buffer Overflow RCE Arena
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-2287 HIGH This Week

A local code execution vulnerability exists in the Rockwell Automation Arena® due to an uninitialized pointer. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Rockwell RCE Arena
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-2285 HIGH This Week

A local code execution vulnerability exists in the Rockwell Automation Arena® due to an uninitialized pointer. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Rockwell RCE Arena
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-26678 HIGH This Week

Improper access control in Windows Defender Application Control (WDAC) allows an unauthorized attacker to bypass a security feature locally. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Authentication Bypass Windows 10 1809 Windows 10 21h2 Windows 10 22h2 +8
NVD
CVSS 3.1
8.4
EPSS
0.6%
CVE-2025-31498 HIGH PATCH This Week

c-ares is an asynchronous resolver library. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Memory Corruption Information Disclosure Red Hat Suse
NVD GitHub
CVSS 4.0
8.3
EPSS
0.6%
CVE-2025-29986 HIGH This Week

Dell Common Event Enabler, version(s) CEE 9.0.0.0, contain(s) an Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Common Anti-Virus Agent (CAVA). Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Dell Authentication Bypass Common Event Enabler
NVD
CVSS 3.1
8.3
EPSS
0.5%
CVE-2025-27480 HIGH CERT-EU This Week

Use after free in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Memory Corruption Denial Of Service Windows Server 2012 Windows Server 2016 +5
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2025-30288 HIGH This Week

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Coldfusion
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-30289 HIGH This Week

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

Command Injection RCE Coldfusion
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-22466 HIGH This Week

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XSS Endpoint Manager
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-30287 HIGH This Week

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

RCE Authentication Bypass Coldfusion
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-26670 HIGH CERT-EU This Week

Use after free in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Memory Corruption Microsoft Denial Of Service Windows 10 1507 +15
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-26663 HIGH CERT-EU This Week

Use after free in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Memory Corruption Microsoft Denial Of Service Windows 10 1507 +15
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-27482 HIGH CERT-EU This Week

Sensitive data storage in improperly locked memory in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2022 23h2 +2
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-26671 HIGH This Week

Use after free in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Memory Corruption Microsoft Denial Of Service Windows Server 2008 +7
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-27487 HIGH This Week

Heap-based buffer overflow in Remote Desktop Client allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow Remote Desktop Client Windows App Windows 10 1507 +15
NVD
CVSS 3.1
8.0
EPSS
0.5%
CVE-2025-27743 HIGH This Week

Untrusted search path in System Center allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure System Center Data Protection Manager System Center Operations Manager System Center Orchestrator System Center Service Manager +1
NVD
CVSS 3.1
7.8
EPSS
1.5%
CVE-2025-32018 HIGH This Week

Cursor is a code editor built for programming with AI. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. No vendor patch available.

Path Traversal
NVD GitHub
CVSS 3.1
8.0
EPSS
0.2%
Prev Page 2 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy