ACT NOW CVE-2025-48928 4.0 The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-48927 5.3 The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in May 2025. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-48828 9.0 vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or later allow unauthenticated access to protected API controllers. The /api.php endpoint fails to properly enforce method visibility on PHP 8.1+, enabling attackers to invoke internal API methods that should be restricted, as exploited in the wild in May 2025. | ACT NOW CVE-2025-48827 10.0 vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 are vulnerable to remote code execution through crafted template conditional expressions. Attackers abuse PHP's alternative function invocation syntax to bypass template engine security checks and execute arbitrary PHP code, as actively exploited in the wild in May 2025. | ACT NOW CVE-2025-34026 9.2 Versa Concerto SD-WAN orchestration platform contains an authentication bypass in Traefik reverse proxy configuration, exposing Actuator endpoints with heap dumps and trace logs. | ACT NOW CVE-2025-4008 8.7 Meteobridge weather station web interface contains a command injection vulnerability allowing unauthenticated remote attackers to execute arbitrary commands through crafted requests to CGI endpoints. | ACT NOW CVE-2025-44882 9.8 A command injection vulnerability in the component /cgi-bin/firewall.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.0%. | ACT NOW CVE-2025-44880 9.8 A command injection vulnerability in the component /cgi-bin/adm.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.0%. | ACT NOW CVE-2025-44881 9.8 A command injection vulnerability in the component /cgi-bin/qos.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.0%. | ACT NOW CVE-2025-47916 10.0 Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template engine's themeeditor.php. By crafting template conditional strings using PHP's alternative function call syntax, attackers bypass security filters and execute arbitrary PHP code on the server. | ACT NOW CVE-2025-32709 7.8 Windows Ancillary Function Driver for WinSock contains a use-after-free enabling local privilege escalation through a null pointer dereference, exploited in May 2025. | ACT NOW CVE-2025-32706 7.8 Windows CLFS Driver contains an input validation flaw enabling local privilege escalation, yet another CLFS kernel vulnerability in the May 2025 Patch Tuesday. | ACT NOW CVE-2025-32701 7.8 Windows Common Log File System Driver contains another use-after-free for local privilege escalation, the latest in a series of CLFS kernel vulnerabilities exploited throughout 2023-2025. | ACT NOW CVE-2025-30400 7.8 Windows Desktop Window Manager (DWM) contains a use-after-free enabling local privilege escalation, exploited in the wild in May 2025 as another DWM zero-day. | ACT NOW CVE-2025-30397 7.5 Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the network through crafted content processed by the scripting engine. | ACT NOW CVE-2025-4428 7.2 Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authenticated attackers to execute arbitrary code through crafted API requests. | EMERGENCY CVE-2025-45858 9.8 TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability via the FUN_00459fdc function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 15.4%. | ACT NOW CVE-2024-46506 10.0 NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection through the settings update API. The savesettings function lacks authentication, enabling attackers to modify arbitrary configuration values and inject OS commands that execute on the host system. | ACT NOW CVE-2025-32756 9.8 Fortinet FortiCamera, FortiMail, FortiNDR, FortiRecorder, and FortiVoice contain a stack-based buffer overflow enabling unauthenticated remote code execution across multiple Fortinet products. | ACT NOW CVE-2025-4632 9.8 Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary files as SYSTEM authority, enabling complete server compromise. | ACT NOW CVE-2025-42999 9.1 SAP NetWeaver Visual Composer allows privileged users to upload untrusted content that is deserialized on the server, enabling remote code execution. Companion to CVE-2025-31324. | EMERGENCY CVE-2025-3605 9.8 The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 12.7%. | ACT NOW CVE-2025-35939 6.9 Craft CMS stores arbitrary content provided by unauthenticated users in session files. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 33.1%. | EMERGENCY CVE-2025-2777 9.3 SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 24.6%. | EMERGENCY CVE-2025-2776 9.3 SysAid On-Prem contains a second unauthenticated XXE injection in Server URL processing, providing an alternative attack path to the Checkin XXE (CVE-2025-2775) for admin takeover. | EMERGENCY CVE-2025-2775 9.3 SysAid On-Prem versions through 23.3.40 contain an unauthenticated XXE injection in the Checkin processing, enabling administrator account takeover and file read primitives. | EMERGENCY CVE-2025-45491 9.8 Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the username parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.9%. | ACT NOW CVE-2025-2011 7.5 The Depicter Slider & Popup Builder WordPress plugin through version 3.6.1 contains an unauthenticated SQL injection via the 's' search parameter. The insufficient escaping allows attackers to append additional SQL queries, extracting the entire WordPress database without authentication. | EMERGENCY CVE-2025-45042 9.8 Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.8%. | ACT NOW CVE-2025-27920 7.2 Output Messenger before 2.0.63 contains a directory traversal vulnerability enabling attackers to access files outside the intended directory through path manipulation in parameters. |

ACT NOW CVE-2025-48928 4.0 The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-48927 5.3 The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in May 2025. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-48828 9.0 vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or later allow unauthenticated access to protected API controllers. The /api.php endpoint fails to properly enforce method visibility on PHP 8.1+, enabling attackers to invoke internal API methods that should be restricted, as exploited in the wild in May 2025. | ACT NOW CVE-2025-48827 10.0 vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 are vulnerable to remote code execution through crafted template conditional expressions. Attackers abuse PHP's alternative function invocation syntax to bypass template engine security checks and execute arbitrary PHP code, as actively exploited in the wild in May 2025. | ACT NOW CVE-2025-34026 9.2 Versa Concerto SD-WAN orchestration platform contains an authentication bypass in Traefik reverse proxy configuration, exposing Actuator endpoints with heap dumps and trace logs. | ACT NOW CVE-2025-4008 8.7 Meteobridge weather station web interface contains a command injection vulnerability allowing unauthenticated remote attackers to execute arbitrary commands through crafted requests to CGI endpoints. | ACT NOW CVE-2025-44882 9.8 A command injection vulnerability in the component /cgi-bin/firewall.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.0%. | ACT NOW CVE-2025-44880 9.8 A command injection vulnerability in the component /cgi-bin/adm.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.0%. | ACT NOW CVE-2025-44881 9.8 A command injection vulnerability in the component /cgi-bin/qos.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.0%. | ACT NOW CVE-2025-47916 10.0 Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template engine's themeeditor.php. By crafting template conditional strings using PHP's alternative function call syntax, attackers bypass security filters and execute arbitrary PHP code on the server. | ACT NOW CVE-2025-32709 7.8 Windows Ancillary Function Driver for WinSock contains a use-after-free enabling local privilege escalation through a null pointer dereference, exploited in May 2025. | ACT NOW CVE-2025-32706 7.8 Windows CLFS Driver contains an input validation flaw enabling local privilege escalation, yet another CLFS kernel vulnerability in the May 2025 Patch Tuesday. | ACT NOW CVE-2025-32701 7.8 Windows Common Log File System Driver contains another use-after-free for local privilege escalation, the latest in a series of CLFS kernel vulnerabilities exploited throughout 2023-2025. | ACT NOW CVE-2025-30400 7.8 Windows Desktop Window Manager (DWM) contains a use-after-free enabling local privilege escalation, exploited in the wild in May 2025 as another DWM zero-day. | ACT NOW CVE-2025-30397 7.5 Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the network through crafted content processed by the scripting engine. | ACT NOW CVE-2025-4428 7.2 Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authenticated attackers to execute arbitrary code through crafted API requests. | EMERGENCY CVE-2025-45858 9.8 TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability via the FUN_00459fdc function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 15.4%. | ACT NOW CVE-2024-46506 10.0 NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection through the settings update API. The savesettings function lacks authentication, enabling attackers to modify arbitrary configuration values and inject OS commands that execute on the host system. | ACT NOW CVE-2025-32756 9.8 Fortinet FortiCamera, FortiMail, FortiNDR, FortiRecorder, and FortiVoice contain a stack-based buffer overflow enabling unauthenticated remote code execution across multiple Fortinet products. | ACT NOW CVE-2025-4632 9.8 Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary files as SYSTEM authority, enabling complete server compromise. | ACT NOW CVE-2025-42999 9.1 SAP NetWeaver Visual Composer allows privileged users to upload untrusted content that is deserialized on the server, enabling remote code execution. Companion to CVE-2025-31324. | EMERGENCY CVE-2025-3605 9.8 The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 12.7%. | ACT NOW CVE-2025-35939 6.9 Craft CMS stores arbitrary content provided by unauthenticated users in session files. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 33.1%. | EMERGENCY CVE-2025-2777 9.3 SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 24.6%. | EMERGENCY CVE-2025-2776 9.3 SysAid On-Prem contains a second unauthenticated XXE injection in Server URL processing, providing an alternative attack path to the Checkin XXE (CVE-2025-2775) for admin takeover. | EMERGENCY CVE-2025-2775 9.3 SysAid On-Prem versions through 23.3.40 contain an unauthenticated XXE injection in the Checkin processing, enabling administrator account takeover and file read primitives. | EMERGENCY CVE-2025-45491 9.8 Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the username parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.9%. | ACT NOW CVE-2025-2011 7.5 The Depicter Slider & Popup Builder WordPress plugin through version 3.6.1 contains an unauthenticated SQL injection via the 's' search parameter. The insufficient escaping allows attackers to append additional SQL queries, extracting the entire WordPress database without authentication. | EMERGENCY CVE-2025-45042 9.8 Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.8%. | ACT NOW CVE-2025-27920 7.2 Output Messenger before 2.0.63 contains a directory traversal vulnerability enabling attackers to access files outside the intended directory through path manipulation in parameters. |