Skip to main content
CVE-2025-2775 CRITICAL POC KEV THREAT Emergency

SysAid On-Prem versions through 23.3.40 contain an unauthenticated XXE injection in the Checkin processing, enabling administrator account takeover and file read primitives.

XXE Sysaid
NVD
CVSS 3.1
9.3
EPSS
69.8%
Threat
7.0
CVE-2025-2776 CRITICAL POC KEV THREAT Emergency

SysAid On-Prem contains a second unauthenticated XXE injection in Server URL processing, providing an alternative attack path to the Checkin XXE (CVE-2025-2775) for admin takeover.

XXE Sysaid
NVD
CVSS 3.1
9.3
EPSS
62.6%
Threat
6.7
CVE-2025-2777 CRITICAL POC THREAT Emergency

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 24.6%.

XXE Sysaid
NVD
CVSS 3.1
9.3
EPSS
24.6%
Threat
4.1
CVE-2025-20188 CRITICAL POC CERT-EU Act Now

A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Cisco Apple Authentication Bypass File Upload Path Traversal +1
NVD
CVSS 3.1
10.0
EPSS
3.9%
CVE-2025-46828 CRITICAL POC PATCH Act Now

WeGIA is a web manager for charitable institutions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP SQLi Authentication Bypass Wegia
NVD GitHub
CVSS 4.0
10.0
EPSS
0.6%
CVE-2025-0668 CRITICAL POC Act Now

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.4.5. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi XSS Boinc Server
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2025-47549 CRITICAL POC Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF allows Upload a Web Shell to a Web Server.6.10. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2025-4104 CRITICAL Act Now

The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_wp_ajax_fed_login_form_post() function in versions 1.0 to 2.2.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2025-3844 CRITICAL Act Now

The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-3476 CRITICAL Act Now

Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Privilege Escalation
NVD
CVSS 4.0
9.4
EPSS
0.2%
CVE-2025-47657 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Productive Minds Productive Commerce allows SQL Injection.1.22. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-36546 CRITICAL Act Now

On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode; access via SSH key-based authentication is. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass F5Os A F5Os C
NVD
CVSS 4.0
9.2
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy