Skip to main content
CVE-2025-47577 CRITICAL POC Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.10.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress File Upload
NVD
CVSS 3.1
10.0
EPSS
0.7%
CVE-2025-23123 CRITICAL Act Now

A malicious actor with access to the management network could execute a remote code execution (RCE) by exploiting a heap buffer overflow vulnerability in the UniFi Protect Cameras (Version 4.75.43. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow RCE Ubiquiti
NVD
CVSS 3.0
10.0
EPSS
1.7%
CVE-2025-39401 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS allows Upload a Web Shell to a Web Server.0 (17-08-2023). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.5%
CVE-2025-39380 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System allows Upload a Web Shell to a Web Server.0(20-11-2023). Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2025-26892 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura allows Using Malicious Files.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2025-39402 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla WPAMS allows Upload a Web Shell to a Web Server.0 (17-08-2023). Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-26872 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Eximius allows Using Malicious Files.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-39406 CRITICAL Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in mojoomla WPAMS allows PHP Local File Inclusion.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-32926 CRITICAL Act Now

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThemeGoods Grand Restaurant WordPress allows Path Traversal.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Path Traversal
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-39356 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Chimpstudio Foodbakery Sticky Cart allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39354 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39349 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop allows Object Injection.18.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39348 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant WordPress allows Object Injection.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-32928 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Altair allows Object Injection.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-32927 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Chimpstudio FoodBakery allows Object Injection.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-47581 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Elbisnero WordPress Events Calendar Registration & Tickets allows Object Injection.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39410 CRITICAL Act Now

PHP object injection in Smart Sections Theme Builder (WordPress plugin) through version 1.7.8 enables remote unauthenticated attackers to achieve arbitrary code execution via deserialization of untrusted data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-based exploitation requiring no authentication or user interaction, creating a critical remotely exploitable condition. EPSS score of 0.37% (59th percentile) suggests moderate exploitation probability, though no CISA KEV listing or public exploit code has been identified at time of analysis. Patchstack database identifies this as a PHP Object Injection vulnerability affecting the WPBakery Page Builder addon.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-47582 CRITICAL Act Now

PHP object injection in WPBot Pro WordPress Chatbot versions up to 12.7.0 allows remote unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization of user-supplied data. The vulnerability achieves complete system compromise with CVSS 9.8 critical severity (network accessible, no authentication required, low complexity). No active exploitation confirmed in CISA KEV, but EPSS score of 0.37% (59th percentile) indicates moderate exploitation likelihood. Patchstack database confirms the vulnerability with technical details available to researchers.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-48340 CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager allows Privilege Escalation.02. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-39395 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPAMS allows SQL Injection.0 (17-08-2023). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-39389 CRITICAL Act Now

Unauthenticated SQL injection in AnalyticsWP WordPress plugin versions up to 2.1.2 allows remote attackers to extract sensitive database contents via crafted SQL queries. The CVSS 9.3 score reflects network-accessible exploitation with no authentication required and changed scope, enabling high confidentiality impact and low availability impact. EPSS probability is relatively low at 0.23% (46th percentile), suggesting limited active exploitation despite the critical severity rating. Patchstack vulnerability database confirms the flaw, indicating third-party security research disclosure.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-39386 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla Hospital Management System allows SQL Injection.0(20-11-2023). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-39445 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder allows SQL Injection.2. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-46801 CRITICAL Act Now

Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-47949 CRITICAL PATCH This Week

samlify is a Node.js library for SAML single sign-on. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Node.js Samlify
NVD GitHub
CVSS 4.0
9.9
EPSS
0.2%
CVE-2025-47284 CRITICAL PATCH This Week

Gardener implements the automated management and operation of Kubernetes clusters as a service. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Gardener Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-47283 CRITICAL PATCH This Week

Gardener implements the automated management and operation of Kubernetes clusters as a service. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Gardener Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-47282 CRITICAL PATCH This Week

Gardener External DNS Management is an environment to manage external DNS entries for a kubernetes cluster. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Kubernetes Suse
NVD GitHub
CVSS 3.0
9.9
EPSS
0.3%
CVE-2025-36560 CRITICAL This Week

Server-side request forgery vulnerability exists in a-blog cms multiple versions. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF A Blog Cms
NVD
CVSS 4.0
9.2
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy