Skip to main content
CVE-2025-4427 MEDIUM POC KEV EUVD KEV THREAT CERT-EU This Month

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Authentication Bypass Ivanti Endpoint Manager Mobile
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
91.6%
Threat
6.8
CVE-2024-46506 CRITICAL POC THREAT Emergency

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection through the settings update API. The savesettings function lacks authentication, enabling attackers to modify arbitrary configuration values and inject OS commands that execute on the host system.

Command Injection PHP Authentication Bypass Netalertx
NVD
CVSS 3.1
10.0
EPSS
91.5%
Threat
6.2
CVE-2025-4632 CRITICAL POC KEV PATCH THREAT Act Now

Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary files as SYSTEM authority, enabling complete server compromise.

Samsung Path Traversal Magicinfo 9 Server
NVD
CVSS 3.1
9.8
EPSS
49.2%
Threat
6.4
CVE-2025-4428 HIGH POC KEV EUVD KEV THREAT CERT-EU Act Now

Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authenticated attackers to execute arbitrary code through crafted API requests.

RCE Code Injection Ivanti Endpoint Manager Mobile
NVD
CVSS 3.1
7.2
EPSS
45.3%
Threat
5.8
CVE-2024-48766 HIGH POC THREAT Act Now

NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redirect, and because of factors related to strpos and directory traversal, as exploited in. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 75.0%.

PHP Path Traversal Netalertx
NVD
CVSS 3.1
8.6
EPSS
75.0%
Threat
5.5
CVE-2025-30397 HIGH POC KEV THREAT Act Now

Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the network through crafted content processed by the scripting engine.

Microsoft Memory Corruption Authentication Bypass Windows 10 1507 Windows 10 1607 +13
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
21.3%
CVE-2025-32706 HIGH POC KEV THREAT Act Now

Windows CLFS Driver contains an input validation flaw enabling local privilege escalation, yet another CLFS kernel vulnerability in the May 2025 Patch Tuesday.

Microsoft Information Disclosure Windows 10 1507 Windows 10 1607 Windows 10 1809 +13
NVD
CVSS 3.1
7.8
EPSS
1.3%
CVE-2025-32701 HIGH KEV THREAT Act Now

Windows Common Log File System Driver contains another use-after-free for local privilege escalation, the latest in a series of CLFS kernel vulnerabilities exploited throughout 2023-2025.

Use After Free Memory Corruption Microsoft Denial Of Service Windows 10 1507 +15
NVD
CVSS 3.1
7.8
EPSS
2.1%
CVE-2025-32709 HIGH KEV THREAT Act Now

Windows Ancillary Function Driver for WinSock contains a use-after-free enabling local privilege escalation through a null pointer dereference, exploited in May 2025.

Use After Free Memory Corruption Microsoft Denial Of Service Windows 10 1507 +15
NVD VulDB
CVSS 3.1
7.8
EPSS
1.0%
CVE-2025-30400 HIGH KEV THREAT Act Now

Windows Desktop Window Manager (DWM) contains a use-after-free enabling local privilege escalation, exploited in the wild in May 2025 as another DWM zero-day.

Use After Free Memory Corruption Microsoft Denial Of Service Windows 10 1809 +10
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2025-45858 CRITICAL POC THREAT Emergency

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability via the FUN_00459fdc function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 15.4%.

Command Injection A3002r Firmware TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
15.4%
CVE-2025-4396 HIGH POC THREAT Act Now

The Relevanssi - A Better Search plugin for WordPress is vulnerable to time-based SQL Injection via the cats and tags query parameters in all versions up to, and including, 4.24.4 (Free) and <=. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 25.2% and no vendor patch available.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
25.2%
CVE-2025-26677 HIGH Act Now

Uncontrolled resource consumption in Remote Desktop Gateway Service allows an unauthorized attacker to deny service over a network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 37.9% and no vendor patch available.

Denial Of Service Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2022 23h2 +2
NVD
CVSS 3.1
7.5
EPSS
37.9%
CVE-2025-45857 CRITICAL POC Act Now

EDIMAX CV7428NS v1.20 was discovered to contain a remote code execution (RCE) vulnerability via the command parameter in the mp function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Cv 7428Ns Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
4.4%
CVE-2025-43559 CRITICAL Act Now

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 12.3% and no vendor patch available.

RCE Coldfusion
NVD
CVSS 3.1
9.1
EPSS
12.3%
CVE-2025-43560 CRITICAL Act Now

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 12.1% and no vendor patch available.

RCE Coldfusion
NVD
CVSS 3.1
9.1
EPSS
12.1%
CVE-2025-22462 CRITICAL Act Now

An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ivanti Neurons For Itsm
NVD
CVSS 3.1
9.8
EPSS
6.6%
CVE-2025-30159 MEDIUM POC PATCH This Month

Kirby is an open-source content management system. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Kirby
NVD GitHub
CVSS 4.0
6.3
EPSS
0.9%
CVE-2025-47204 MEDIUM POC PATCH This Month

An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

PHP CSRF XSS Bootstrap Multiselect Bootstrap
NVD GitHub
CVSS 3.1
6.1
EPSS
1.4%
CVE-2023-49641 CRITICAL Act Now

Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-43561 CRITICAL Act Now

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Authentication Bypass Coldfusion
NVD
CVSS 3.1
9.1
EPSS
2.0%
CVE-2025-45866 MEDIUM POC This Month

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the addrPoolEnd parameter in the formDhcpv6s interface. Rated medium severity (CVSS 5.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow A3002r Firmware TOTOLINK
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-3757 CRITICAL PATCH Act Now

Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Openpubkey Suse
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-4658 CRITICAL PATCH Act Now

Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Openpubkey Opkssh Suse
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-44039 MEDIUM POC This Month

CP-XR-DE21-S -4G Router Firmware version 1.031.022 was discovered to contain insecure protections for its UART console. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Cp Xr De21 S Firmware
NVD GitHub
CVSS 3.1
5.1
EPSS
0.1%
CVE-2025-29962 HIGH This Week

Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Buffer Overflow Heap Overflow Windows 10 1507 Windows 10 1607 +14
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2025-4317 HIGH This Week

The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload PHP
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2025-29840 HIGH This Week

Stack-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Buffer Overflow Stack Overflow Windows 10 1507 Windows 10 1607 +10
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2025-29971 HIGH This Week

Out-of-bounds read in Web Threat Defense (WTD.sys) allows an unauthorized attacker to deny service over a network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Buffer Overflow Windows 11 22h2 Windows 11 23h2 Windows 11 24h2 +1
NVD
CVSS 3.1
7.5
EPSS
6.7%
CVE-2025-22843 HIGH This Week

Incorrect execution-assigned permissions for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable escalation of privilege via local. Rated high severity (CVSS 8.8). No vendor patch available.

Intel Privilege Escalation
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2025-24308 HIGH This Week

Improper input validation in the UEFI firmware error handler for the Intel(R) Server D50DNP and M50FCP may allow a privileged user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.7). No vendor patch available.

Intel Privilege Escalation
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-21094 HIGH This Week

Improper input validation in the UEFI firmware DXE module for the Intel(R) Server D50DNP and M50FCP boards may allow a privileged user to potentially enable escalation of privilege via local access. Rated high severity (CVSS 8.7), this vulnerability is low attack complexity. No vendor patch available.

Intel Privilege Escalation
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-20100 HIGH This Week

Improper access control in the memory controller configurations for some Intel(R) Xeon(R) 6 processor with E-cores may allow a privileged user to potentially enable escalation of privilege via local. Rated high severity (CVSS 8.7). No vendor patch available.

Intel Authentication Bypass Privilege Escalation
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-20082 HIGH This Week

Time-of-check time-of-use race condition in the UEFI firmware SmiVariable driver for the Intel(R) Server D50DNP and M50FCP boards may allow a privileged user to enable escalation of privilege via. Rated high severity (CVSS 8.7). No vendor patch available.

Intel Privilege Escalation
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-32704 HIGH This Week

Buffer over-read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Buffer Overflow 365 Apps Excel Office +1
NVD
CVSS 3.1
8.4
EPSS
0.7%
CVE-2025-30377 HIGH This Week

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Microsoft Denial Of Service 365 Apps +4
NVD
CVSS 3.1
8.4
EPSS
0.7%
CVE-2025-20004 HIGH This Week

Insufficient control flow management in the Alias Checking Trusted Module for some Intel(R) Xeon(R) 6 processor E-Cores firmware may allow a privileged user to potentially enable escalation of. Rated high severity (CVSS 8.5). No vendor patch available.

Intel Privilege Escalation
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-20618 HIGH This Week

Stack-based buffer overflow for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow a privileged user to potentially enable denial of service via local access. Rated high severity (CVSS 8.3), this vulnerability is low attack complexity. No vendor patch available.

Stack Overflow Intel Buffer Overflow Denial Of Service Microsoft +2
NVD
CVSS 4.0
8.3
EPSS
0.1%
CVE-2025-20032 HIGH This Week

Improper input validation for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow a privileged user to potentially enable denial of service via local access. Rated high severity (CVSS 8.3), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Intel Denial Of Service Proset Wireless Wifi Windows
NVD
CVSS 4.0
8.3
EPSS
0.1%
CVE-2025-20006 HIGH This Week

Use after free for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.100 may allow an unauthenticated user to potentially enable denial of service via adjacent access. Rated high severity (CVSS 8.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Intel Denial Of Service Microsoft +2
NVD
CVSS 4.0
8.3
EPSS
0.1%
CVE-2025-22249 HIGH PATCH This Week

VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS VMware Aria Automation Cloud Foundation Telco Cloud Platform
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2024-36292 HIGH This Week

Improper buffer restrictions for some Intel(R) Data Center GPU Flex Series for Windows driver before version 31.0.101.4314 may allow an authenticated user to potentially enable denial of service via. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Intel Buffer Overflow Denial Of Service Windows
NVD
CVSS 4.0
8.2
EPSS
0.1%
CVE-2025-30382 HIGH This Week

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Deserialization Sharepoint Server
NVD
CVSS 3.1
7.8
EPSS
1.4%
CVE-2025-26646 HIGH PATCH This Week

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Build Tools Visual Studio 2022 Net Red Hat +1
NVD
CVSS 3.1
8.0
EPSS
0.3%
CVE-2025-29975 HIGH This Week

Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Information Disclosure Pc Manager
NVD
CVSS 3.1
7.8
EPSS
1.2%
CVE-2025-30383 HIGH This Week

Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Memory Corruption Authentication Bypass 365 Apps Excel +3
NVD
CVSS 3.1
7.8
EPSS
0.9%
CVE-2025-30375 HIGH This Week

Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Memory Corruption Authentication Bypass 365 Apps Excel +3
NVD
CVSS 3.1
7.8
EPSS
0.9%
CVE-2025-32702 HIGH This Week

Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection Visual Studio 2019 Visual Studio 2022
NVD
CVSS 3.1
7.8
EPSS
0.9%
CVE-2025-30393 HIGH This Week

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Microsoft Denial Of Service 365 Apps +1
NVD
CVSS 3.1
7.8
EPSS
0.8%
CVE-2025-30381 HIGH This Week

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Buffer Overflow 365 Apps Excel +3
NVD
CVSS 3.1
7.8
EPSS
0.8%
Page 1 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy