Skip to main content
CVE-2025-28242 CRITICAL POC THREAT Emergency

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 11.5% and no vendor patch available.

Information Disclosure Session Fixation
NVD GitHub
CVSS 3.1
9.8
EPSS
11.5%
CVE-2025-29209 CRITICAL POC Act Now

TOTOLINK X18 v9.1.0cu.2024_B20220329 has an unauthorized arbitrary command execution in the enable parameter' of the sub_41105C function of cstecgi .cgi. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection X18 Firmware TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2024-53591 CRITICAL POC Act Now

An issue in the login page of Seclore v3.27.5.0 allows attackers to bypass authentication via a brute force attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Seclore
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-28229 CRITICAL POC Act Now

Incorrect access control in Orban OPTIMOD 5950 Firmware v1.0.0.2 and System v2.2.15 allows attackers to bypass authentication and gain Administrator privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Optimod 5950 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-29643 CRITICAL POC Act Now

An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Request Smuggling Code Injection Croogo
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2025-28230 CRITICAL POC Act Now

Incorrect access control in JMBroadcast JMB0150 Firmware v1.0 allows attackers to access hardcoded administrator credentials. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Jmb0150 Firmware
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-28232 CRITICAL POC Act Now

Incorrect access control in the HOME.php endpoint of JMBroadcast JMB0150 Firmware v1.0 allows attackers to access the Admin panel without authentication. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Jmb0150 Firmware
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-29058 CRITICAL Act Now

An issue in Qimou CMS v.3.34.0 allows a remote attacker to execute arbitrary code via the upgrade.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PHP Code Injection Qimou Cms
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2025-28236 CRITICAL Act Now

Nautel VX Series transmitters VX SW v6.4.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the firmware update process. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-29953 CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client.1.1 when performing connections to untrusted servers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization Activemq Nms Openwire
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-28238 CRITICAL Act Now

Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-1863 CRITICAL Act Now

Insecure default settings have been found in recorder products provided by Yokogawa Electric Corporation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-32434 CRITICAL POC PATCH Act Now

PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Deserialization Pytorch AI / ML
NVD GitHub
CVSS 4.0
9.3
EPSS
1.2%
CVE-2025-39471 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pantherius Modal Survey.0.2.0.1. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-2492 CRITICAL Act Now

An improper authentication control vulnerability exists in AiCloud. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 4.0
9.2
EPSS
0.4%
CVE-2025-28231 CRITICAL Act Now

Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-28197 CRITICAL Act Now

Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Crawl4ai
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-28233 CRITICAL Act Now

Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Control Version: 1.0, AIO Firmware Version:. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-42599 CRITICAL KEV THREAT Act Now

Active! mail 6 contains a stack-based buffer overflow allowing unauthenticated remote code execution and denial of service through crafted requests, exploited in attacks against Japanese organizations in April 2025.

Buffer Overflow RCE Stack Overflow Active Mail
NVD
CVSS 3.1
9.8
EPSS
2.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy