Skip to main content
CVE-2025-47781 CRITICAL POC Act Now

Rallly is an open-source scheduling and collaboration tool. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Rallly
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-47445 HIGH POC This Week

Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal.0.26. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD
CVSS 3.1
7.5
EPSS
8.8%
CVE-2025-47783 HIGH POC PATCH GHSA This Week

Label Studio is a multi-type data labeling and annotation tool. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Label Studio
NVD GitHub
CVSS 4.0
7.6
EPSS
0.2%
CVE-2025-47292 CRITICAL Act Now

Cap Collectif is an online decision making platform that integrates several tools. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD GitHub
CVSS 4.0
9.5
EPSS
4.9%
CVE-2024-52290 MEDIUM POC PATCH This Month

LF Edge eKuiper is a lightweight internet of things (IoT) data analytics and stream processing engine. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ekuiper Suse
NVD GitHub
CVSS 3.1
6.3
EPSS
0.2%
CVE-2025-47775 MEDIUM POC PATCH This Month

Bullfrog is a GithHb Action to block unauthorized outbound traffic in GitHub workflows. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Bullfrog
NVD GitHub
CVSS 3.1
6.2
EPSS
0.3%
CVE-2025-29691 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the userName parameter at. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Oa System
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-29690 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the outtype parameter at. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Oa System
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-29689 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the password parameter at. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Oa System
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-29688 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter at. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Oa System
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-29686 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter at. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Oa System
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-24780 CRITICAL PATCH Act Now

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Code Injection Iotdb
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2025-47889 CRITICAL Act Now

In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Wso2 Oauth
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-57273 MEDIUM POC This Month

Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross-site scripting (XSS) in the Automatic Configuration Backup (ACB) service, allowing remote. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pfsense Ce Pfsense Plus
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-4641 CRITICAL PATCH Act Now

Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Microsoft Java Apple Windows +1
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2025-3623 CRITICAL PATCH Act Now

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

WordPress PHP Deserialization Uncanny Automator
NVD
CVSS 3.1
9.1
EPSS
1.1%
CVE-2025-4637 HIGH This Week

Divide By Zero vulnerability in davisking dlib allows remote attackers to cause a denial of service via a crafted file. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
NVD GitHub
CVSS 4.0
8.7
EPSS
1.0%
CVE-2025-47708 HIGH PATCH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Cross Site Request Forgery.0.0 before 4.7.0, from 5.0.0 before 5.2.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Miniorange 2fa Drupal
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-2875 HIGH This Week

cause a loss of confidentiality when an unauthenticated attacker manipulates controller’s webserver URL to access resources. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
8.7
EPSS
0.5%
CVE-2025-4430 HIGH This Week

Unauthorized access to "/api/Token/gettoken" endpoint in EZD RP allows file manipulation.19 (published on 22nd August 2024). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 4.0
8.6
EPSS
0.3%
CVE-2025-24022 HIGH This Week

iTop is an web based IT Service Management tool. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Command Injection RCE Itop
NVD GitHub
CVSS 3.1
8.5
EPSS
0.7%
CVE-2025-3833 HIGH This Week

Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Manageengine Adselfservice Plus
NVD
CVSS 3.1
8.1
EPSS
1.8%
CVE-2025-3834 HIGH This Week

Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the OU History report. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Manageengine Adaudit Plus
NVD
CVSS 3.1
8.1
EPSS
1.7%
CVE-2025-4640 HIGH This Week

Out-of-bounds Write vulnerability in PointCloudLibrary pcl allows Overflow Buffers. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Memory Corruption Buffer Overflow
NVD GitHub
CVSS 4.0
8.3
EPSS
0.3%
CVE-2025-0130 HIGH This Week

A missing exception check in Palo Alto Networks PAN-OS® software with the web proxy feature enabled allows an unauthenticated attacker to send a burst of maliciously crafted packets that causes the. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Paloalto
NVD VulDB
CVSS 4.0
8.2
EPSS
0.3%
CVE-2025-3909 HIGH PATCH This Week

Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2024-58101 HIGH This Week

Samsung Galaxy Buds and Galaxy Buds 2 audio devices are Bluetooth pairable by default without user input nor a way to stop this mode. Rated high severity (CVSS 8.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Samsung Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-3600 HIGH This Week

In Progress® Telerik® UI for AJAX, versions 2011.2.712 to 2025.1.218, an unsafe reflection vulnerability exists that may lead to an unhandled exception resulting in a crash of the hosting process and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Telerik Ui For Asp Net Ajax
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2025-26864 HIGH PATCH This Week

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.10.0 through 1.3.3, from 2.0.1-beta. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-26795 HIGH PATCH This Week

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver.10.0 through 1.3.3, from 2.0.1-beta before. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-3875 HIGH PATCH This Week

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-47707 HIGH PATCH This Week

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.0.0 before 4.7.0, from 5.0.0 before 5.2.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Miniorange 2fa Drupal
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-2900 HIGH PATCH This Week

IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow IBM Denial Of Service Semeru Runtime +1
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-47710 HIGH PATCH This Week

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.0.0 before 4.7.0, from 5.0.0 before 5.2.0. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Miniorange 2fa Drupal
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2025-0133 LOW POC Monitor

A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Paloalto XSS
NVD
CVSS 4.0
2.7
EPSS
3.5%
CVE-2025-46836 MEDIUM PATCH CISA This Month

net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.

RCE Privilege Escalation
NVD GitHub
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-0134 MEDIUM This Month

A code injection vulnerability in the Palo Alto Networks Cortex XDR® Broker VM allows an authenticated user to execute arbitrary code with root privileges on the host operating system running Broker. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Paloalto
NVD
CVSS 4.0
6.5
EPSS
0.4%
CVE-2025-30667 MEDIUM This Month

NULL pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Null Pointer Dereference Denial Of Service Meeting Software Development Kit Rooms +5
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-46785 MEDIUM This Month

Buffer over-read in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Buffer Overflow Denial Of Service Meeting Software Development Kit Rooms +4
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-30668 MEDIUM This Month

Integer underflow in some Zoom Workplace Apps may allow an authenticated user to conduct a denial of service via network access. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Integer Overflow Denial Of Service Meeting Software Development Kit Rooms Rooms Controller +3
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-3932 MEDIUM PATCH This Month

It was possible to craft an email that showed a tracking link as an attachment. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-47709 MEDIUM PATCH This Month

Missing Authorization vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Forceful Browsing.0.0 before 4.7.0, from 5.0.0 before 5.2.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Miniorange 2fa Drupal
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-45516 MEDIUM This Month

An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass XSS Zimbra Collaboration Suite
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2025-47704 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Klaro Cookie & Consent Management allows Cross-Site Scripting (XSS).0.0 before 3.0.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Klaro Cookie Consent Management Drupal
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-47703 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).0.0 before 1.2.14. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Cookies Coonsent Manager Drupal
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-44024 MEDIUM This Month

Cross-Site Scripting (XSS) vulnerability was discovered in the Pichome system v2.1.0 and before. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-47705 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal IFrame Remove Filter allows Cross-Site Scripting (XSS).0.0 before 2.0.5, from 7.X-1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Iframe Remove Filter Drupal
NVD HeroDevs
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-47888 MEDIUM This Month

Jenkins DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Jenkins Dingtalk
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2024-13940 MEDIUM This Month

The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SSRF
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-57096 MEDIUM This Month

An issue in wps office before v.19302 allows a local attacker to obtain sensitive information via a crafted file. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Information Disclosure Wps Office
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy