Skip to main content
CVE-2025-29659 CRITICAL POC Act Now

Yi IOT XY-3820 6.0.24.10 is vulnerable to Remote Command Execution via the "cmd_listen" function located in the "cmd" binary. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Xy 3820 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
4.2%
CVE-2025-29287 CRITICAL POC PATCH Act Now

An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Mcms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2025-29660 CRITICAL POC Act Now

A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Xy 3820 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-28104 CRITICAL POC Act Now

Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Flaskblog
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-28367 MEDIUM POC THREAT This Month

mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 12.7%.

Authentication Bypass Path Traversal Mojoportal
NVD GitHub
CVSS 3.1
6.5
EPSS
12.7%
CVE-2024-57394 HIGH POC This Week

The quarantine - restore function in Qi-ANXIN Tianqing Endpoint Security Management System v10.0 allows user to restore a malicious file to an arbitrary file path. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation Tianqing Endpoint Security Management System Windows
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-32956 HIGH POC PATCH This Week

ManageWiki is a MediaWiki extension allowing users to manage wikis. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Managewiki
NVD GitHub
CVSS 3.1
8.0
EPSS
0.2%
CVE-2024-42699 MEDIUM POC This Month

Cross Site Scripting vulnerability in Create/Modify article function in Alkacon OpenCMS 17.0 allows remote attacker to inject javascript payload via image title sub-field in the image field. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

XSS Opencms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2025-28121 MEDIUM POC This Month

code-projects Online Exam Mastering System 1.0 is vulnerable to Cross Site Scripting (XSS) in feedback.php via the "q" parameter allowing remote attackers to execute arbitrary code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE XSS Online Exam Mastering System
NVD GitHub Exploit-DB
CVSS 3.1
6.1
EPSS
0.7%
CVE-2025-28102 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in flaskBlog v2.6.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at /createpost. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Flaskblog
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-32958 CRITICAL Act Now

Adept is a language for general purpose programming. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-0632 CRITICAL Act Now

Local File Inclusion (LFI) vulnerability in a Render function of Formulatrix Rock Maker Web (RMW) allows a remote attacker to obtain sensitive data via arbitrary code execution. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure RCE Path Traversal
NVD
CVSS 4.0
9.2
EPSS
2.6%
CVE-2024-41446 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the image parameter under the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-3842 MEDIUM POC This Month

A vulnerability was found in panhainan DS-Java 1.0 and classified as critical.action of the file src/com/phn/action/FileUpload.java. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Java Ds Java
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2025-3843 MEDIUM POC This Month

A vulnerability was found in panhainan DS-Java 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Java Ds Java
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-32431 HIGH PATCH This Week

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Traefik Suse
NVD GitHub
CVSS 4.0
8.8
EPSS
0.4%
CVE-2025-3841 MEDIUM POC This Month

A vulnerability, which was classified as problematic, was found in wix-incubator jam up to e87a6fd85cf8fb5ff37b62b2d68f917219d07ae9. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Jam
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.2%
CVE-2025-3857 HIGH PATCH This Week

When reading binary Ion data through Amazon.IonDotnet using the RawBinaryReader class, Amazon.IonDotnet does not check the number of bytes read from the underlying stream while deserializing the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Denial Of Service
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2025-43971 HIGH PATCH This Week

An issue was discovered in GoBGP before 3.35.0. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Gobgp Suse
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-2298 HIGH This Week

An improper authorization vulnerability in Dremio Software allows authenticated users to delete arbitrary files that the system has access to, including system files and files stored in remote. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Authentication Bypass Denial Of Service
NVD
CVSS 4.0
8.4
EPSS
0.2%
CVE-2025-28099 MEDIUM POC This Month

opencms V2.3 is vulnerable to Arbitrary file read in src/main/webapp/view/admin/document/dataPage.jsp,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Opencms
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2025-27086 HIGH This Week

A vulnerability in the HPE Performance Cluster Manager (HPCM) GUI could allow an attacker to bypass authentication. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Performance Cluster Manager
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-43922 HIGH This Week

The FileWave Windows client before 16.0.0, in some non-default configurations, allows an unprivileged local user to escalate privileges to SYSTEM. Rated high severity (CVSS 8.1), this vulnerability is no authentication required. No vendor patch available.

Microsoft Authentication Bypass Windows
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-23174 HIGH This Week

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-29446 LOW POC Monitor

open-webui v0.5.16 is vulnerable to SSRF in routers/ollama.py in function verify_connection. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

SSRF Open Webui Ollama AI / ML
NVD GitHub VulDB
CVSS 3.1
3.3
EPSS
0.1%
CVE-2025-3845 MEDIUM This Month

A vulnerability was found in markparticle WebServer up to 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Webserver
NVD VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2025-3847 MEDIUM This Month

A vulnerability classified as critical has been found in markparticle WebServer up to 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Webserver
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2025-3846 MEDIUM This Month

A vulnerability was found in markparticle WebServer up to 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Webserver
NVD VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-43967 LOW POC PATCH Monitor

libheif before 1.19.6 has a NULL pointer dereference in ImageItem_Grid::get_decoder in image-items/grid.cc because a grid image can reference a nonexistent image item. Rated low severity (CVSS 2.9), this vulnerability is no authentication required. Public exploit code available.

Null Pointer Dereference Denial Of Service Libheif
NVD GitHub
CVSS 3.1
2.9
EPSS
0.2%
CVE-2025-43973 MEDIUM PATCH This Month

An issue was discovered in GoBGP before 3.35.0. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Gobgp Suse
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-43972 MEDIUM PATCH This Month

An issue was discovered in GoBGP before 3.35.0. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required.

Denial Of Service Gobgp Suse
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-28103 MEDIUM This Month

Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Flaskblog
NVD GitHub
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-3837 MEDIUM This Month

An improper input validation vulnerability is identified in the End of Life (EOL) OVA based connect component which is deployed for installation purposes in the customer internal network. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE
NVD
CVSS 4.0
6.1
EPSS
0.4%
CVE-2025-3838 MEDIUM This Month

An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required. No vendor patch available.

Authentication Bypass
NVD
CVSS 4.0
6.1
EPSS
0.1%
CVE-2025-32955 MEDIUM This Month

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Docker Red Hat
NVD GitHub
CVSS 3.1
6.0
EPSS
0.1%
CVE-2024-12543 MEDIUM This Month

User Enumeration and Data Integrity in Barcode functionality in OpenText Content Management versions 24.3-25.1on Windows and Linux allows a malicous authenticated attacker to potentially alter. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft Information Disclosure Windows
NVD
CVSS 4.0
5.9
EPSS
0.2%
CVE-2024-12863 MEDIUM This Month

Stored XSS in Discussions in OpenText Content Management CE 20.2 to 25.1 on Windows and Linux allows authenticated malicious users to inject code into the system. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft XSS Windows
NVD
CVSS 4.0
5.6
EPSS
0.4%
CVE-2024-12862 MEDIUM This Month

Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows, Linux allows users without the appropriate permissions to remove external collaborators.2-24.4. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft Authentication Bypass Windows
NVD
CVSS 4.0
5.5
EPSS
0.2%
CVE-2025-43970 MEDIUM PATCH This Month

An issue was discovered in GoBGP before 3.35.0. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Gobgp Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-32793 MEDIUM PATCH This Month

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Cilium Suse
NVD GitHub
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-25228 LOW Monitor

A SQL injection in VirtueMart component 1.0.0 - 4.4.7 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the product management area in backend. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Virtuemart Joomla
NVD GitHub
CVSS 3.1
3.8
EPSS
0.2%
CVE-2025-43916 LOW Monitor

Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
3.4
EPSS
0.2%
CVE-2025-43963 LOW PATCH Monitor

In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp allows out-of-buffer access because split_col and split_row values are not checked in 0x041f tag processing. Rated low severity (CVSS 2.9), this vulnerability is no authentication required. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Information Disclosure Buffer Overflow Libraw
NVD GitHub
CVSS 3.1
2.9
EPSS
0.3%
CVE-2025-43962 LOW PATCH Monitor

In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp has out-of-bounds reads for tag 0x412 processing, related to large w0 or w1 values or the frac and mult calculations. Rated low severity (CVSS 2.9), this vulnerability is no authentication required.

Information Disclosure Buffer Overflow Libraw
NVD GitHub
CVSS 3.1
2.9
EPSS
0.3%
CVE-2025-43961 LOW PATCH Monitor

In LibRaw before 0.21.4, metadata/tiff.cpp has an out-of-bounds read in the Fujifilm 0xf00c tag parser. Rated low severity (CVSS 2.9), this vulnerability is no authentication required.

Information Disclosure Buffer Overflow Libraw
NVD GitHub
CVSS 3.1
2.9
EPSS
0.3%
CVE-2025-43964 LOW PATCH Monitor

In LibRaw before 0.21.4, tag 0x412 processing in phase_one_correct in decoders/load_mfbacks.cpp does not enforce minimum w0 and w1 values. Rated low severity (CVSS 2.9), this vulnerability is no authentication required.

Information Disclosure Libraw
NVD GitHub
CVSS 3.1
2.9
EPSS
0.2%
CVE-2025-43966 LOW PATCH Monitor

libheif before 1.19.6 has a NULL pointer dereference in ImageItem_iden in image-items/iden.cc. Rated low severity (CVSS 2.9), this vulnerability is no authentication required.

Null Pointer Dereference Denial Of Service Libheif
NVD GitHub
CVSS 3.1
2.9
EPSS
0.2%
CVE-2025-32408 LOW Monitor

In Soffid Console 3.6.31 before 3.6.32, authorization to use the pam service is mishandled. Rated low severity (CVSS 2.5). No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
2.5
EPSS
0.1%
CVE-2025-2517 LOW Monitor

Reference to Expired Domain Vulnerability in OpenText™ ArcSight Enterprise Security Manager. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
2.3
EPSS
0.4%
CVE-2025-3840 LOW Monitor

An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. Rated low severity (CVSS 2.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 4.0
2.1
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy