Skip to main content
CVE-2024-46506 CRITICAL POC THREAT Emergency

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection through the settings update API. The savesettings function lacks authentication, enabling attackers to modify arbitrary configuration values and inject OS commands that execute on the host system.

Command Injection PHP Authentication Bypass Netalertx
NVD
CVSS 3.1
10.0
EPSS
91.5%
Threat
6.2
CVE-2025-4632 CRITICAL POC KEV PATCH THREAT Act Now

Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary files as SYSTEM authority, enabling complete server compromise.

Samsung Path Traversal Magicinfo 9 Server
NVD
CVSS 3.1
9.8
EPSS
49.2%
Threat
6.4
CVE-2025-45858 CRITICAL POC THREAT Emergency

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability via the FUN_00459fdc function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 15.4%.

Command Injection A3002r Firmware TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
15.4%
CVE-2025-45857 CRITICAL POC Act Now

EDIMAX CV7428NS v1.20 was discovered to contain a remote code execution (RCE) vulnerability via the command parameter in the mp function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Cv 7428Ns Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
4.4%
CVE-2025-43559 CRITICAL Act Now

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 12.3% and no vendor patch available.

RCE Coldfusion
NVD
CVSS 3.1
9.1
EPSS
12.3%
CVE-2025-43560 CRITICAL Act Now

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 12.1% and no vendor patch available.

RCE Coldfusion
NVD
CVSS 3.1
9.1
EPSS
12.1%
CVE-2025-22462 CRITICAL Act Now

An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ivanti Neurons For Itsm
NVD
CVSS 3.1
9.8
EPSS
6.6%
CVE-2023-49641 CRITICAL Act Now

Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-43561 CRITICAL Act Now

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Authentication Bypass Coldfusion
NVD
CVSS 3.1
9.1
EPSS
2.0%
CVE-2025-3757 CRITICAL PATCH Act Now

Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Openpubkey Suse
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-4658 CRITICAL PATCH Act Now

Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Openpubkey Opkssh Suse
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-43567 CRITICAL This Week

Adobe Connect versions 12.8 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe XSS Connect
NVD
CVSS 3.1
9.3
EPSS
0.8%
CVE-2025-43564 CRITICAL This Week

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Authentication Bypass Coldfusion
NVD
CVSS 3.1
9.1
EPSS
0.8%
CVE-2025-43563 CRITICAL This Week

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Authentication Bypass Coldfusion
NVD
CVSS 3.1
9.1
EPSS
0.8%
CVE-2025-43562 CRITICAL This Week

ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could result. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection RCE Coldfusion
NVD
CVSS 3.1
9.1
EPSS
8.4%
CVE-2025-45863 CRITICAL POC Act Now

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the macstr parameter in the formMapDelDevice interface. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow A3002r Firmware TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-45865 CRITICAL POC Act Now

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the dnsaddr parameter in the formDhcpv6s interface. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow A3002r Firmware TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-45861 CRITICAL POC Act Now

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the routername parameter in the formDnsv6 interface. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow A3002r Firmware TOTOLINK
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-30387 CRITICAL This Week

Improper limitation of a pathname to a restricted directory ('path traversal') in Azure allows an unauthorized attacker to elevate privileges over a network. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Path Traversal Azure Ai Document Intelligence Studio
NVD
CVSS 3.1
9.8
EPSS
3.0%
CVE-2025-28056 CRITICAL POC Act Now

rebuild v3.9.0 through v3.9.3 has a SQL injection vulnerability in /admin/admin-cli/exec component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Rebuild
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-44831 CRITICAL POC Act Now

EngineerCMS v1.02 through v2.0.5 has a SQL injection vulnerability in the /project/addproject interface. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Engineercms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-32756 CRITICAL KEV THREAT CERT-EU Act Now

Fortinet FortiCamera, FortiMail, FortiNDR, FortiRecorder, and FortiVoice contain a stack-based buffer overflow enabling unauthenticated remote code execution across multiple Fortinet products.

Buffer Overflow RCE Stack Overflow Fortinet Fortimail +4
NVD
CVSS 3.1
9.8
EPSS
41.6%
CVE-2025-40628 CRITICAL This Week

SQL injection vulnerability in DomainsPRO 1.2. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi
NVD
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-33025 CRITICAL This Week

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection RCE
NVD
CVSS 4.0
9.4
EPSS
0.9%
CVE-2025-33024 CRITICAL This Week

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection RCE
NVD
CVSS 4.0
9.4
EPSS
0.9%
CVE-2025-32469 CRITICAL This Week

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection RCE
NVD
CVSS 4.0
9.4
EPSS
0.9%
CVE-2025-26390 CRITICAL This Week

A vulnerability has been identified in OZW672 (All versions < V6.0), OZW772 (All versions < V6.0). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Ozw672 Firmware Ozw772 Firmware
NVD
CVSS 4.0
9.3
EPSS
0.3%
CVE-2025-26389 CRITICAL This Week

A vulnerability has been identified in OZW672 (All versions < V8.0), OZW772 (All versions < V8.0). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Ozw672 Firmware Ozw772 Firmware
NVD
CVSS 4.0
10.0
EPSS
1.1%
CVE-2025-22248 CRITICAL This Week

The bitnami/pgpool Docker image, and the bitnami/postgres-ha k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

PostgreSQL Information Disclosure Kubernetes Docker Bitnami +1
NVD GitHub
CVSS 4.0
9.4
EPSS
0.3%
CVE-2025-42999 CRITICAL POC KEV THREAT Act Now

SAP NetWeaver Visual Composer allows privileged users to upload untrusted content that is deserialized on the server, enabling remote code execution. Companion to CVE-2025-31324.

SAP Deserialization Netweaver
NVD
CVSS 3.1
9.1
EPSS
67.8%
CVE-2025-30012 CRITICAL This Week

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Command Injection Deserialization Java Supplier Relationship Management
NVD
CVSS 3.1
10.0
EPSS
1.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy