Skip to main content
CVE-2025-34028 CRITICAL POC KEV THREAT Emergency

Commvault Command Center Innovation Release allows unauthenticated remote code execution through path traversal in ZIP file upload handling, enabling malicious JSP deployment on the server.

RCE Path Traversal Commvault
NVD GitHub
CVSS 4.0
9.3
EPSS
63.2%
Threat
6.8
CVE-2025-28038 CRITICAL POC Act Now

TOTOLINK EX1200T V4.1.2cu.5232_B20210713 was found to contain a pre-auth remote command execution vulnerability in the setWebWlanIdx function through the webWlanIdx parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Ex1200t Firmware TOTOLINK
NVD
CVSS 3.1
9.8
EPSS
8.2%
CVE-2025-28039 CRITICAL POC Act Now

TOTOLINK EX1200T V4.1.2cu.5232_B20210713 was found to contain a pre-auth remote command execution vulnerability in the setUpgradeFW function through the FileName parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Ex1200t Firmware TOTOLINK
NVD
CVSS 3.1
9.8
EPSS
7.5%
CVE-2025-28037 CRITICAL POC Act Now

TOTOLINK A810R V4.1.2cu.5182_B20201026 and A950RG V4.1.2cu.5161_B20200903 were found to contain a pre-auth remote command execution vulnerability in the setDiagnosisCfg function through the ipDomain. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A810R Firmware A950rg Firmware TOTOLINK
NVD
CVSS 3.1
9.8
EPSS
7.5%
CVE-2025-28036 CRITICAL POC Act Now

TOTOLINK A950RG V4.1.2cu.5161_B20200903 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A950rg Firmware A810R Firmware A800R Firmware A830R Firmware +3
NVD
CVSS 3.1
9.8
EPSS
6.4%
CVE-2025-28035 CRITICAL POC Act Now

TOTOLINK A830R V4.1.2cu.5182_B20201102 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A830R Firmware A3100R Firmware A810R Firmware A800R Firmware +3
NVD
CVSS 3.1
9.8
EPSS
6.4%
CVE-2025-28034 CRITICAL POC Act Now

TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A800R Firmware A810R Firmware A830R Firmware A950rg Firmware +3
NVD
CVSS 3.1
9.8
EPSS
6.4%
CVE-2025-43946 CRITICAL POC Act Now

TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal File Upload Ddi
NVD GitHub
CVSS 3.1
9.8
EPSS
5.6%
CVE-2023-43958 CRITICAL POC Act Now

An arbitrary file upload vulnerability in the component /jquery-file-upload/server/php/index.php of Hospital Management System v4.0 allows an unauthenticated attacker to upload any file to the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection File Upload Hospital Management System
NVD
CVSS 3.1
9.8
EPSS
3.8%
CVE-2025-3472 MEDIUM POC PATCH THREAT This Month

The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 17.3%.

RCE WordPress Code Injection Ocean Extra PHP
NVD
CVSS 3.1
6.5
EPSS
17.3%
CVE-2025-28024 CRITICAL POC Act Now

TOTOLINK A810R V4.1.2cu.5182_B20201026 was found to contain a buffer overflow vulnerability in the cstecgi.cgi. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow A810R Firmware TOTOLINK
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2023-44752 CRITICAL POC Act Now

An issue in Student Study Center Desk Management System v1.0 allows attackers to bypass authentication via a crafted GET request to /php-sscdms/admin/login.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Student Study Center Desk Management System
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2023-44755 CRITICAL POC Act Now

Sacco Management system v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /sacco/ajax.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Sacco Management System
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-2594 HIGH POC This Week

The User Registration & Membership WordPress plugin before 4.1.3 does not properly validate data in an AJAX action when the Membership Addon is enabled, allowing attackers to authenticate as any. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

WordPress Information Disclosure User Registration Membership PHP
NVD WPScan Exploit-DB
CVSS 3.1
8.1
EPSS
7.4%
CVE-2025-28030 HIGH POC This Week

TOTOLINK A810R V4.1.2cu.5182_B20201026 was discovered to contain a stack overflow via the startTime and endTime parameters in setParentalRules function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Stack Overflow A810R Firmware TOTOLINK
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-29743 MEDIUM POC This Month

D-Link DIR-816 A2V1.1.0B05 was found to contain a command injection in /goform/delRouting. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Command Injection Dir 816 Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
9.0%
CVE-2024-33452 HIGH POC This Week

An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Nginx Request Smuggling Information Disclosure Lua Nginx Module Red Hat
NVD
CVSS 3.1
7.7
EPSS
0.7%
CVE-2025-1731 HIGH POC This Week

An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Zyxel PostgreSQL Privilege Escalation Uos
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-29339 HIGH POC This Week

An issue in UPF in Open5GS UPF versions up to v2.7.2 results an assertion failure vulnerability in PFCP session parameter validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open5gs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-46546 HIGH POC This Week

NEXTU FLETA AX1500 WIFI6 Router v1.0.3 was discovered to contain a stack overflow via the url parameter at /boafrm/formFilter. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Stack Overflow Denial Of Service Fleta Ax1500 Firmware
NVD GitHub
CVSS 3.1
7.3
EPSS
0.4%
CVE-2025-43947 HIGH POC This Week

Codemers KLIMS 1.6.DEV lacks a proper access control mechanism, allowing a normal KLIMS user to perform all the actions that an admin can perform, such as modifying the configuration, creating a. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Klims
NVD GitHub
CVSS 3.1
7.3
EPSS
0.3%
CVE-2025-28029 HIGH POC This Week

TOTOLINK A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a buffer overflow vulnerability in. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Stack Overflow A830R Firmware A950rg Firmware A3000Ru Firmware +2
NVD
CVSS 3.1
7.3
EPSS
0.3%
CVE-2025-28027 HIGH POC This Week

TOTOLINK A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 was found to contain a buffer overflow vulnerability in. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Stack Overflow A830R Firmware A950rg Firmware A3000Ru Firmware +2
NVD
CVSS 3.1
7.3
EPSS
0.3%
CVE-2025-28026 HIGH POC This Week

TOTOLINK A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a buffer overflow vulnerability in. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Stack Overflow A830R Firmware A950rg Firmware A3000Ru Firmware +2
NVD
CVSS 3.1
7.3
EPSS
0.3%
CVE-2025-28033 HIGH POC This Week

TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Stack Overflow A800R Firmware A810R Firmware A830R Firmware +4
NVD
CVSS 3.1
7.3
EPSS
0.3%
CVE-2025-28032 HIGH POC This Week

TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Stack Overflow A800R Firmware A810R Firmware A830R Firmware +4
NVD
CVSS 3.1
7.3
EPSS
0.3%
CVE-2024-13569 HIGH POC This Week

The Front End Users WordPress plugin through 3.2.32 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Front End Users
NVD WPScan
CVSS 3.1
7.1
EPSS
0.4%
CVE-2025-29547 HIGH POC This Week

In Rollback Rx Professional 12.8.0.0, the driver file shieldm.sys allows local users to cause a denial of service because of a null pointer dereference from IOCtl 0x96202000. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Rollback Rx Pro
NVD
CVSS 3.1
7.0
EPSS
0.2%
CVE-2025-28031 MEDIUM POC This Month

TOTOLINK A810R V4.1.2cu.5182_B20201026 was discovered to contain a hardcoded password for the telnet service in product.ini. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass A810R Firmware TOTOLINK
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-3850 MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Springboot Vue Onlineexam
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2023-44753 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability fin Student Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Online Student Management System
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2023-43378 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the commento1_1 parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Hoteldruid
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-43951 CRITICAL Act Now

LabVantage before LV 8.8.0.13 HF6 allows local file inclusion. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-37087 CRITICAL Act Now

A vulnerability in the cmdb service of the HPE Performance Cluster Manager (HPCM) could allow an attacker to gain access to an arbitrary file on the server host. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-43949 CRITICAL Act Now

MuM (aka Mensch und Maschine) MapEdit (aka mapedit-web) 24.2.3 is vulnerable to SQL Injection that allows an attacker to execute malicious SQL statements that control a web application's database. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-40446 CRITICAL Act Now

An issue in forkosh Mime Tex before v.1.77 allows an attacker to execute arbitrary code via a crafted script. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Mimetex
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-3577 MEDIUM POC This Month

**UNSUPPORTED WHEN ASSIGNED** A path traversal vulnerability in the web management interface of the Zyxel AMG1302-T10B firmware version 2.00(AAJC.16)C0 could allow an authenticated attacker with. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zyxel Path Traversal Amg1302 T10B Firmware
NVD GitHub
CVSS 3.1
4.9
EPSS
2.8%
CVE-2025-32965 CRITICAL PATCH Act Now

xrpl.js is a JavaScript/TypeScript API for interacting with the XRP Ledger in Node.js and the browser. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2025-3856 MEDIUM POC This Month

A vulnerability was found in xxyopen Novel-Plus 5.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Novel Plus
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-3855 MEDIUM POC This Month

A vulnerability was found in CodeCanyon RISE Ultimate Project Manager 3.8.2 and classified as problematic. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Rise Ultimate Project Manager
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-3849 MEDIUM POC This Month

A vulnerability classified as problematic was found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Springboot Vue Onlineexam
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2024-58250 CRITICAL Act Now

The passprompt plugin in pppd in ppp before 2.5.2 mishandles privileges. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-1950 CRITICAL Act Now

IBM Hardware Management Console - Power Systems V10.2.1030.0 and V10.3.1050.0 could allow a local user to execute commands locally due to improper validation of libraries of an untrusted source. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure IBM Hardware Management Console
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-3616 HIGH PATCH This Week

The Greenshift - animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gspb_make_proxy_api_request() function in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload Greenshift Animation And Page Builder Blocks PHP
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2025-23176 HIGH This Week

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-3854 HIGH This Week

A vulnerability, which was classified as critical, was found in H3C GR-3000AX up to V100R006. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2025-1951 HIGH This Week

IBM Hardware Management Console - Power Systems V10.2.1030.0 and V10.3.1050.0 could allow a local user to execute commands as a privileged user due to execution of commands with unnecessary. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

IBM Privilege Escalation Hardware Management Console
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-3767 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon BAM (Boolean KPi Listing modules) allows SQL Injection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
5.4%
CVE-2025-46241 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in codepeople Appointment Booking Calendar allows SQL Injection.3.92. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi CSRF
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-23249 HIGH This Week

NVIDIA NeMo Framework contains a vulnerability where a user could cause a deserialization of untrusted data by remote code execution. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nvidia RCE Deserialization Nemo
NVD
CVSS 3.1
7.6
EPSS
1.4%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy