Skip to main content
CVE-2025-1485 MEDIUM POC PATCH This Month

The Real Cookie Banner: GDPR & ePrivacy Cookie Consent WordPress plugin before 5.1.6, real-cookie-banner-pro WordPress plugin before 5.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

WordPress XSS Wordpress Real Cookie Banner PHP
NVD WPScan
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-48387 HIGH PATCH This Week

tar-fs versions prior to 3.0.9, 2.1.3, and 1.16.5 contain a path traversal vulnerability (CWE-22) that allows attackers to extract tar archives outside the intended directory using specially crafted tarballs. This affects all users of vulnerable tar-fs versions with network-accessible extraction endpoints; the high CVSS 8.7 score reflects the integrity impact and network-accessible attack vector, though no KEV status or widespread public exploits have been confirmed at this time.

Information Disclosure Red Hat
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-46807 HIGH PATCH This Week

A remote code execution vulnerability in A Allocation of Resources Without Limits or Throttling vulnerability in sslh (CVSS 8.7) that allows attackers. High severity vulnerability requiring prompt remediation.

Information Disclosure Red Hat Suse
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-5113 HIGH This Week

Critical vulnerability in Diviotec professional series devices that combines arbitrary command injection via a web interface endpoint with hardcoded credentials, allowing authenticated attackers to execute arbitrary commands with high impact on confidentiality, integrity, and availability. The CVSS 8.6 score reflects the severity of command injection paired with hardcoded passwords that eliminate authentication barriers. This vulnerability affects network-accessible professional series devices and represents an immediate risk in environments where these devices are deployed, particularly where adjacent network access is possible.

Command Injection
NVD
CVSS 4.0
8.6
EPSS
0.2%
CVE-2025-4010 HIGH PATCH This Week

Critical remote code execution vulnerability affecting Netcom NTC 6200 and NWL 222 series network devices. The vulnerability stems from multiple command injection flaws in the web interface combined with hardcoded credentials, allowing authenticated remote attackers to execute arbitrary commands with elevated privileges. With a CVSS score of 8.6 and an attack vector requiring only adjacent network access and low privileges, this vulnerability poses significant risk to organizations deploying these devices in networked environments.

RCE Command Injection
NVD
CVSS 4.0
8.6
EPSS
0.2%
CVE-2025-48990 HIGH This Week

1-byte heap buffer overflow in NeKernal OS version 0.0.2's `rt_copy_memory` function, where a null terminator is unconditionally written beyond the destination buffer boundary when the copy length equals the buffer size (256 bytes). This vulnerability affects local attackers with no privilege requirements and can result in high-impact compromise of confidentiality, integrity, and availability. The patch (commit fb7b7f658327f659c6a6da1af151cb389c2ca4ee) removes the overflow-causing null terminator write; no active exploitation or public POC is currently documented, but the CVSS 8.6 score reflects significant severity.

Buffer Overflow Heap Overflow Denial Of Service
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-5455 HIGH PATCH This Week

Denial-of-service vulnerability in Qt's private qDecodeDataUrl() function that triggers an assertion failure when processing malformed data URLs with incomplete charset parameters. This affects Qt versions up to 5.15.18, 6.0.0-6.5.8, 6.6.0-6.8.3, and 6.9.0, impacting applications using QTextDocument and QNetworkReply. An attacker can crash Qt-based applications by sending a specially crafted data URL, resulting in service disruption; the vulnerability requires user interaction (UI involvement) but has a high CVSS score of 8.4 due to integrity and availability impact.

Denial Of Service Red Hat Suse
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2025-5422 MEDIUM POC This Month

A security vulnerability in juzaweb CMS (CVSS 4.3). Risk factors: public PoC available.

Information Disclosure Cms
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-3260 HIGH PATCH This Week

CVE-2025-3260 is an authorization bypass vulnerability in Grafana's dashboard API endpoints (/apis/dashboard.grafana.app/*) that allows authenticated users to circumvent dashboard and folder permission controls across all API versions (v0alpha1, v1alpha1, v2alpha1). Affected users with viewer or editor roles can access, modify, or delete dashboards and folders they should not have permission to interact with, while organization isolation boundaries and datasource access controls remain unaffected. With a CVSS score of 8.3 and requiring only low-privilege authentication, this represents a significant risk to multi-tenant Grafana deployments and requires immediate patching.

Grafana Authentication Bypass Privilege Escalation Information Disclosure Red Hat +1
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2025-3951 MEDIUM POC PATCH This Month

The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations.

WordPress SQLi Wp Optimize PHP
NVD WPScan
CVSS 3.1
4.1
EPSS
0.1%
CVE-2024-57783 HIGH This Week

Cross-site scripting (XSS) vulnerability in Dot desktop application (versions through 0.9.3) that allows unauthenticated local attackers to execute arbitrary commands with high complexity due to unsafe DOM manipulation via innerHTML. The vulnerability chains user input and LLM output directly into the DOM without sanitization, combined with Electron's Node.js API access, enabling command execution. This is a local attack vector with high impact on confidentiality, integrity, and availability.

Node.js XSS
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-20298 HIGH PATCH This Week

Privilege escalation vulnerability in Splunk Universal Forwarder for Windows where incorrect file system permissions are assigned during installation or upgrade, allowing non-administrator users to read and modify sensitive files in the installation directory. This affects versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, and could enable unauthorized access to credentials, configuration files, and system monitoring data. While CVSS 8.0 indicates high severity, real-world exploitation requires local access and user interaction (UI requirement per vector), limiting attack scope.

Splunk Windows Microsoft Privilege Escalation Information Disclosure +1
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-5036 HIGH PATCH This Week

Use-After-Free vulnerability (CWE-416) in Autodesk Revit triggered by maliciously crafted RFA (Revit Family) files that can be linked or imported into the application. An unauthenticated attacker with local access can exploit this vulnerability to crash the application, exfiltrate sensitive data, or achieve arbitrary code execution with the privileges of the Revit process. The attack requires user interaction (opening/importing a malicious file) but has high impact potential (confidentiality, integrity, and availability all compromised); current KEV and exploitation status unknown without additional intelligence sources.

RCE Information Disclosure Revit
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2024-11857 HIGH PATCH This Week

Local privilege escalation vulnerability in Realtek Bluetooth HCI adaptor drivers that exploits a symlink-following flaw (CWE-59) to enable arbitrary file deletion. Local attackers with standard user privileges can create symbolic links to trick the driver into deleting critical system files, subsequently leveraging file deletion to gain elevated privileges. The vulnerability has a CVSS score of 7.8 (High) with complete integrity and confidentiality impact; exploitation status and POC availability require vendor advisory correlation to assess active exploitation risk.

Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-1246 HIGH This Week

Buffer over-read vulnerability in Arm GPU userspace drivers (Bifrost, Valhall, and 5th Gen architectures) that allows unprivileged local users to access memory outside allocated buffer bounds through valid GPU operations including WebGL and WebGPU. The vulnerability affects multiple driver versions across three GPU architectures and has a CVSS score of 7.8 with high impact on confidentiality, integrity, and availability; exploitation status and POC availability are not documented in the provided data.

Information Disclosure Bifrost Gpu Userspace Driver 5th Gen Gpu Architecture Userspace Driver Valhall Gpu Userspace Driver
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-0073 HIGH This Week

Use After Free (UAF) vulnerability in Arm Ltd's Valhall GPU Kernel Driver and Arm 5th Gen GPU Architecture Kernel Driver that allows a local, unprivileged user to access already-freed GPU memory through improper GPU memory processing operations. Affected versions range from r53p0 before r54p0 in both driver families. With a CVSS score of 7.8 and high impact across confidentiality, integrity, and availability, this vulnerability enables memory disclosure, data manipulation, and potential denial of service on systems running vulnerable GPU drivers.

Use After Free Memory Corruption Privilege Escalation 5th Gen Gpu Architecture Kernel Driver Valhall Gpu Kernel Driver
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-0819 HIGH This Week

A security vulnerability in Arm Ltd Bifrost GPU Kernel Driver (CVSS 7.8) that allows a local non-privileged user process. High severity vulnerability requiring prompt remediation.

Denial Of Service Bifrost Gpu Kernel Driver 5th Gen Gpu Architecture Kernel Driver Valhall Gpu Kernel Driver
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-25179 HIGH This Week

GPU privilege escalation vulnerability allowing non-privileged users to conduct improper GPU system calls that bypass GPU hardware protections and write to arbitrary physical memory pages, achieving complete system compromise. The vulnerability affects GPU driver implementations across multiple vendors and has a CVSS score of 7.8 (High) with local attack vector requiring low privileges but no user interaction. Without KEV confirmation, EPSS score, or confirmed public POC in the provided data, the real-world exploitation risk remains moderate but should be treated as significant due to the nature of GPU memory access primitives in modern systems.

Privilege Escalation Memory Corruption Ddk
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-23105 HIGH This Week

Use-after-free vulnerability in Samsung's Exynos mobile processors (2200, 1480, and 2400) that allows a local attacker with low privileges to escalate to higher privileges and potentially achieve code execution with full system compromise. The vulnerability requires local access but no user interaction, making it a significant privilege escalation vector for devices running affected processor versions. The CVSS 7.8 rating reflects the high confidentiality, integrity, and availability impacts achievable through privilege escalation on mobile devices where such attacks directly threaten user data and system security.

Privilege Escalation Samsung Use After Free Exynos 1480 Firmware Exynos 2400 Firmware +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-12168 HIGH PATCH This Week

DLL hijacking vulnerability in Yandex Telemost for Desktop versions before 2.7.0, where the application searches for dynamic libraries in untrusted paths, allowing local attackers with user-level privileges to execute arbitrary code through malicious DLL injection. The vulnerability has a high CVSS score of 7.8 and requires user interaction (running the application), but poses significant risk as DLL hijacking is a well-understood and commonly exploitable attack vector with publicly available proof-of-concept techniques.

Information Disclosure Yandex Telemost
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-26396 HIGH This Week

Local privilege escalation vulnerability in SolarWinds Dameware Mini Remote Control caused by incorrect permission assignments on system resources. An authenticated attacker with low-privilege local access can exploit this vulnerability to gain elevated privileges (SYSTEM/Administrator level), achieving complete system compromise including confidentiality, integrity, and availability violations. This vulnerability requires valid local credentials and user interaction is not required for exploitation, making it a significant risk for multi-user systems or those with shared access.

Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-5412 LOW POC PATCH Monitor

A vulnerability classified as problematic has been found in Mist Community Edition up to 4.7.1. Affected is the function Login of the file src/mist/api/views.py of the component Authentication Endpoint. The manipulation of the argument return_to leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The name of the patch is db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component.

XSS
NVD GitHub VulDB
CVSS 3.1
3.5
EPSS
0.1%
CVE-2025-5420 LOW POC Monitor

A vulnerability classified as problematic was found in juzaweb CMS up to 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/file-manager/upload of the component Profile Page. The manipulation of the argument Upload leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS
NVD GitHub VulDB
CVSS 3.1
3.5
EPSS
0.1%
CVE-2025-29785 HIGH PATCH This Week

Nil-pointer dereference vulnerability in quic-go's path probe loss recovery logic introduced in v0.50.0 that allows unauthenticated remote attackers to crash QUIC servers. A malicious client can trigger a denial-of-service by sending valid QUIC packets from multiple addresses to initiate path validation, then crafting specific ACKs to dereference a null pointer. The vulnerability affects quic-go versions from v0.50.0 through v0.50.0 (patched in v0.50.1), with a CVSS score of 7.5 and high availability impact but no known active exploitation or public POC at time of disclosure.

Golang Denial Of Service Null Pointer Dereference Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-57459 HIGH This Week

Time-based SQL injection vulnerability in the mydetailsstudent.php file of CloudClassroom PHP Project version 1.0, where the 'myds' parameter fails to properly validate user input, allowing unauthenticated remote attackers to inject and execute arbitrary SQL commands. The vulnerability has a CVSS score of 7.3 (High), indicating potential for data theft, modification, and service disruption. No KEV status or active exploitation data is provided in the current intelligence; however, the network-accessible nature (CVSS:3.1/AV:N) and low attack complexity suggest this represents a significant real-world risk if the affected application is internet-facing.

PHP SQLi Cloudclassroom Php Project
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-5435 HIGH This Week

Critical SQL injection vulnerability in Marwal Infotech CMS 1.0 affecting the /page.php file's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete database contents. The vulnerability has public exploit disclosure and proof-of-concept availability, but the vendor has not responded to early disclosure notifications, leaving affected deployments unpatched and at active risk.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-5434 HIGH This Week

Critical SQL injection vulnerability in Aem Solutions CMS versions up to 1.0, affecting the /page.php file's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL commands. With a CVSS score of 7.3, a publicly disclosed exploit, and unresponsive vendor engagement, this vulnerability poses significant risk to confidentiality, integrity, and availability of affected systems.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-37091 HIGH PATCH This Week

Command injection remote code execution vulnerability in HPE StoreOnce Software that allows authenticated attackers with high privileges to execute arbitrary commands on affected systems. The vulnerability has a CVSS score of 7.2 (high severity) and requires authenticated access but no user interaction. Given the command injection nature (CWE-77) and network attack vector, this poses significant risk to organizations running vulnerable HPE StoreOnce deployments, particularly if KEV status or active exploitation is confirmed.

RCE Command Injection HP Storeonce System
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2025-48940 HIGH PATCH This Week

MyBB versions prior to 1.8.39 contain a local file inclusion (LFI) vulnerability in the upgrade component due to improper input validation (CWE-22). This vulnerability allows authenticated administrators or unauthenticated attackers with access to an unlocked installer to read arbitrary files from the server filesystem. The vulnerability requires either the installer to be accessible via re-installation or the attacker to have administrative privileges, significantly limiting real-world exploitability despite the CVSS 7.2 score.

PHP Information Disclosure Mybb
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2024-7074 MEDIUM PATCH This Month

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server. By leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users.

File Upload RCE
NVD
CVSS 3.1
6.8
EPSS
0.7%
CVE-2025-46806 MEDIUM PATCH This Month

A Use of Out-of-range Pointer Offset vulnerability in sslh leads to denial of service on some architectures.This issue affects sslh before 2.2.4.

Denial Of Service Memory Corruption Ubuntu Debian Suse
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-48995 MEDIUM PATCH This Month

A security vulnerability in SignXML (CVSS 6.9). Remediation should follow standard vulnerability management procedures.

Python Information Disclosure Ubuntu Debian
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-48994 MEDIUM PATCH This Month

A security vulnerability in SignXML (CVSS 6.9). Remediation should follow standard vulnerability management procedures.

Python Information Disclosure Ubuntu Debian
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-27954 MEDIUM This Month

An issue in Clinical Collaboration Platform 12.2.1.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the usertoken function of default.aspx.

RCE Command Injection Clinical Collaboration Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-27955 MEDIUM This Month

Clinical Collaboration Platform 12.2.1.5 has a weak logout system where the session token remains valid after logout and allows a remote attacker to obtain sensitive information and execute arbitrary code.

RCE Clinical Collaboration Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-27953 MEDIUM This Month

An issue in Clinical Collaboration Platform 12.2.1.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the session management component.

RCE Command Injection Clinical Collaboration Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-7073 MEDIUM PATCH This Month

A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin services. This flaw allows unauthenticated attackers to manipulate server-side requests, enabling access to internal and external resources available through the network or filesystem. Exploitation of this vulnerability could lead to unauthorized access to sensitive data and systems, including resources within private networks, as long as they are reachable by the affected product.

Information Disclosure SSRF Authentication Bypass Open Banking Km Open Banking Iam +2
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-47585 MEDIUM This Month

Missing Authorization vulnerability in Mage people team Booking and Rental Manager allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking and Rental Manager: from n/a through 2.3.8.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-23104 MEDIUM This Month

An issue was discovered in Samsung Mobile Processor Exynos 2200. A Use-After-Free in the mobile processor leads to privilege escalation.

Use After Free Privilege Escalation Samsung Memory Corruption Exynos 2200 Firmware
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-20678 MEDIUM This Month

In ims service, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01394606; Issue ID: MSV-2739.

Denial Of Service Lr13 Lr12a Nr17 Nr15 +2
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-3919 MEDIUM This Month

The WordPress Comments Import & Export plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings function in all versions up to, and including, 2.4.3. Additionally, the plugin fails to properly sanitize and escape FTP settings parameters. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts on the plugin settings page that will execute whenever an administrative user accesses an injected page. The vulnerability was partially fixed in version 2.4.3 and fully fixed in version 2.4.4

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-47289 MEDIUM PATCH This Month

CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner (admin) approves the testimonial, the script executes in the context of any user visiting the testimonial page. Because the session cookies are not marked with the `HttpOnly` flag, they can be exfiltrated by the attacker - potentially leading to account takeover. Version 1.1.0.3 fixes the issue.

XSS Ce Phoenix Cart
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-5433 MEDIUM This Month

A vulnerability was found in Fengoffice Feng Office 3.5.1.5 and classified as critical. Affected by this issue is some unknown functionality of the file /index.php?c=account&a=set_timezone. The manipulation of the argument tz_offset leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Microsoft PHP SQLi
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-48955 MEDIUM PATCH This Month

Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue.

Information Disclosure
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-37094 MEDIUM PATCH This Month

A directory traversal arbitrary file deletion vulnerability exists in HPE StoreOnce Software.

Path Traversal Storeonce System
NVD
CVSS 3.1
5.5
EPSS
1.2%
CVE-2025-20677 MEDIUM This Month

In Bluetooth driver, there is a possible system crash due to an uncaught exception. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00412256; Issue ID: MSV-3284.

Null Pointer Dereference Denial Of Service Nbiot Sdk
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-20676 MEDIUM This Month

In wlan STA driver, there is a possible system crash due to an uncaught exception. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00412240; Issue ID: MSV-3293.

Null Pointer Dereference Denial Of Service Nbiot Sdk
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-20675 MEDIUM This Month

In wlan STA driver, there is a possible system crash due to an uncaught exception. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00413201; Issue ID: MSV-3302.

Null Pointer Dereference Denial Of Service Mt7927 Firmware Mt7902 Firmware Mt7925 Firmware +2
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-20673 MEDIUM This Month

In wlan STA driver, there is a possible system crash due to an uncaught exception. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00413200; Issue ID: MSV-3304.

Null Pointer Dereference Denial Of Service Mt7927 Firmware Mt7921 Firmware Mt7925 Firmware +2
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-47272 MEDIUM PATCH This Month

The CE Phoenix eCommerce platform, starting in version 1.0.9.7 and prior to version 1.1.0.3, allowed logged-in users to delete their accounts without requiring password re-authentication. An attacker with temporary access to an authenticated session (e.g., on a shared/public machine) could permanently delete the user’s account without knowledge of the password. This bypass of re-authentication puts users at risk of account loss and data disruption. Version 1.1.0.3 contains a patch for the issue.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy