Skip to main content
CVE-2025-29659 CRITICAL POC Act Now

Yi IOT XY-3820 6.0.24.10 is vulnerable to Remote Command Execution via the "cmd_listen" function located in the "cmd" binary. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Xy 3820 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
4.2%
CVE-2025-29287 CRITICAL POC PATCH Act Now

An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Mcms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2025-29660 CRITICAL POC Act Now

A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Xy 3820 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-28104 CRITICAL POC Act Now

Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Flaskblog
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-32958 CRITICAL Act Now

Adept is a language for general purpose programming. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-0632 CRITICAL Act Now

Local File Inclusion (LFI) vulnerability in a Render function of Formulatrix Rock Maker Web (RMW) allows a remote attacker to obtain sensitive data via arbitrary code execution. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure RCE Path Traversal
NVD
CVSS 4.0
9.2
EPSS
2.6%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy