Skip to main content
CVE-2025-32432 CRITICAL POC KEV PATCH THREAT Act Now

Craft CMS versions 3.x through 5.x contain a critical remote code execution vulnerability (CVSS 10.0) that allows unauthenticated attackers to execute arbitrary code on the server, actively exploited in the wild before patches were released.

RCE Craft Cms
NVD GitHub VulDB Exploit-DB
CVSS 3.1
10.0
EPSS
79.0%
Threat
7.4
CVE-2025-25775 CRITICAL POC Act Now

Codeastro Bus Ticket Booking System v1.0 is vulnerable to SQL injection via the kodetiket parameter in /BusTicket-CI/tiket/cekorder. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Bus Ticket Booking System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-43862 HIGH POC PATCH This Week

Dify is an open-source LLM app development platform. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Dify
NVD GitHub
CVSS 3.1
7.6
EPSS
0.3%
CVE-2025-32981 HIGH POC This Week

NETSCOUT nGeniusONE before 6.4.0 b2350 allows local users to leverage Insecure Permissions for the nGeniusCLI File. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Ngeniusone
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-28128 HIGH POC This Week

An issue in Mytel Telecom Online Account System v1.0 allows attackers to bypass the OTP verification process via a crafted request. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Telecom Online Account System
NVD GitHub
CVSS 3.1
7.0
EPSS
0.3%
CVE-2025-46616 CRITICAL Act Now

Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload
NVD
CVSS 3.1
9.9
EPSS
1.6%
CVE-2025-0671 MEDIUM POC This Month

The Icegram Express WordPress plugin before 5.7.50 does not sanitise and escape some of its Template settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Icegram Express PHP
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-2470 CRITICAL Act Now

The Service Finder Bookings plugin for WordPress, used by the Service Finder - Directory and Job Board WordPress Theme, is vulnerable to privilege escalation in all versions up to, and including,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-32985 CRITICAL Act Now

NETSCOUT nGeniusONE before 6.4.0 b2350 has Hardcoded Credentials that can be obtained from JAR files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ngeniusone
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-32980 CRITICAL Act Now

NETSCOUT nGeniusONE before 6.4.0 P11 b3245 has a Weak Sudo Configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-56156 MEDIUM POC This Month

Halo is an open source website building tool. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Halo
NVD GitHub
CVSS 4.0
5.5
EPSS
1.0%
CVE-2025-3642 HIGH PATCH This Week

A flaw was found in Moodle. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Moodle
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2025-3641 HIGH PATCH This Week

A flaw was found in Moodle. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Moodle
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2025-1279 HIGH This Week

The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-2238 HIGH This Week

The Vikinger theme for WordPress is vulnerable to privilege in all versions up to, and including, 1.9.30. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-3638 HIGH PATCH This Week

A flaw was found in Moodle. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Moodle
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-3606 HIGH This Week

Vestel AC Charger version 3.75.0 contains a vulnerability that could enable an attacker to access files containing sensitive information, such as credentials which could be used to further compromise. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-2185 HIGH This Week

ALBEDO Telecom Net.Time - PTP/NTP clock (Serial No. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
8.5
EPSS
0.2%
CVE-2025-43865 HIGH PATCH This Week

React Router is a router for React. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Red Hat Suse
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
CVE-2024-11917 HIGH This Week

The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.9.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google WordPress Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-1565 HIGH This Week

The Mayosis Core plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.4.1 via the library/wave-audio/peaks/remote_dl.php file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP Path Traversal
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2024-6199 HIGH This Week

An unauthenticated attacker on the WAN interface, with the ability to intercept Dynamic DNS (DDNS) traffic between DDNS services and the modem, could manipulate specific responses to include code. Rated high severity (CVSS 7.7), this vulnerability is no authentication required. No vendor patch available.

Buffer Overflow
NVD
CVSS 4.0
7.7
EPSS
0.1%
CVE-2024-6198 HIGH This Week

The device exposes a web interface on ports TCP/3030 and TCP/9882. Rated high severity (CVSS 7.7), this vulnerability is no authentication required. No vendor patch available.

Buffer Overflow
NVD
CVSS 4.0
7.7
EPSS
0.1%
CVE-2025-32044 HIGH PATCH This Week

A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data-including names, contact information, and hashed passwords-via stack traces. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure PHP Moodle
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2025-43864 HIGH PATCH This Week

React Router is a router for React. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-32983 HIGH This Week

NETSCOUT nGeniusONE before 6.4.0 b2350 allows Technical Information Disclosure via a Stack Trace. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ngeniusone
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-32982 HIGH This Week

NETSCOUT nGeniusONE before 6.4.0 b2350 has a Broken Authorization Schema for the report module. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ngeniusone
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-32986 HIGH This Week

NETSCOUT nGeniusONE before 6.4.0 b2350 has a Sensitive File Accessible Without Proper Authentication to an endpoint. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ngeniusone
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-46613 HIGH This Week

OpenPLC 3 through 64f9c11 has server.cpp Memory Corruption because a thread may access handleConnections arguments after the parent stack frame becomes unavailable. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Race Condition Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-3511 HIGH This Week

Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module, CC-Link IE TSN Analog-Digital Converter module, CC-Link IE TSN. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-46333 HIGH This Week

z2d is a pure Zig 2D graphics library. Rated high severity (CVSS 7.3). No vendor patch available.

Buffer Overflow
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-46617 HIGH This Week

Quantum StorNext Web GUI API before 7.2.4 grants access to internal StorNext configuration and unauthorized modification of some software configuration parameters via undocumented user credentials. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-3625 HIGH This Week

A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Moodle
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2025-46599 MEDIUM PATCH This Month

CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Kubernetes Suse
NVD GitHub
CVSS 3.1
6.8
EPSS
0.4%
CVE-2025-3775 MEDIUM This Month

The ShopLentor - WooCommerce Builder for Elementor & Gutenberg +20 Modules - All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SSRF Shoplentor PHP
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2025-28354 MEDIUM This Month

An issue in the Printer Manager Systm of Entrust Corp Printer Manager D3.18.4-3 and below allows attackers to execute a directory traversal via a crafted POST request. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-32979 MEDIUM This Month

NETSCOUT nGeniusONE before 6.4.0 b2350 allows Arbitrary File Creation by authenticated users. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ngeniusone
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-28076 MEDIUM This Month

Multiple SQL injection vulnerabilities in EasyVirt DCScope <= 8.6.4 and CO2Scope <= 1.3.4 allows remote authenticated attackers to execute arbitrary SQL commands via the (1) timeago, (2) user, (3). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-46482 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MyThemeShop WP Quiz allows Stored XSS.0.10. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-30152 MEDIUM This Month

HCL SX v21 is affected by usage of a weak cryptographic algorithm. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hcl Sx
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-3752 MEDIUM This Month

The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-46544 MEDIUM This Month

In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Sherpa Orchestrator
NVD GitHub
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-46595 MEDIUM This Month

An XSS issue was discovered in the Flag module before 1.x-3.6.2 for Backdrop CMS. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-3868 MEDIUM This Month

The Custom Admin-Bar Favorites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'menuObject' parameter in all versions up to, and including, 0.1 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2025-3870 MEDIUM This Month

The 1 Decembrie 1918 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.dec.2012. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP CSRF XSS
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-3866 MEDIUM This Month

The Add Google +1 (Plus one) social share Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google WordPress CSRF XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-32984 MEDIUM This Month

NETSCOUT nGeniusONE before 6.4.0 b2350 allows Stored Cross-Site Scripting (XSS) via a certain POST parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Ngeniusone
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-3867 MEDIUM This Month

The Ajax Comment Form CST plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-2986 MEDIUM This Month

IBM Maximo Asset Management 7.6.1.3 is vulnerable to stored cross-site scripting. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XSS Maximo Asset Management
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-3743 MEDIUM This Month

The Upsell Funnel Builder for WooCommerce plugin for WordPress is vulnerable to order manipulation in all versions up to, and including, 3.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.8%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy