Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes.
Dassault Systemes DELMIA Apriso (releases 2020-2025) contains an unauthenticated deserialization vulnerability (CVE-2025-5086, CVSS 9.0) that enables remote code execution on manufacturing execution systems. KEV-listed with EPSS 39.2% and public PoC, this vulnerability threatens industrial manufacturing operations by targeting the MES (Manufacturing Execution System) layer that controls production processes.
SQL injection in llama_index DuckDB vector store v0.12.19. PoC and patch available.
Command Injection Rce (3Rd) in HPE StoreOnce backup storage software. One of 6 critical CVEs.
Command Injection Rce (2Nd) in HPE StoreOnce backup storage software. One of 6 critical CVEs.
Command Injection Rce in HPE StoreOnce backup storage software. One of 6 critical CVEs.
Directory Traversal in HPE StoreOnce backup storage software. One of 6 critical CVEs.
Heap OOB write in Android Bluetooth driver via incorrect bounds check.
Remote privilege escalation in Android WLAN AP driver via packet injection.
Ssrf in HPE StoreOnce backup storage software. One of 6 critical CVEs.
Auth Bypass in HPE StoreOnce backup storage software. One of 6 critical CVEs.
Privilege escalation in Axis VAPIX framework.
OOB write in Samsung Exynos 1480/2400 processors.