THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — June 03, 2025

119 CVEs tracked today. 11 Critical, 45 High, 53 Medium, 10 Low.

CVE-2025-44148 CRITICAL CVSS 9.8
XSS in MailEnable before v10 via failure.aspx. EPSS 11.5%. PoC available.

RCE XSS Mailenable
CVE-2025-49002 CRITICAL CVSS 9.8
Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.

Authentication Bypass Code Injection Dataease
CVE-2025-49001 CRITICAL CVSS 9.8
Auth bypass in DataEase BI tool before 2.10.10.

Information Disclosure Dataease
CVE-2025-48951 CRITICAL CVSS 9.3
Insecure deserialization in Auth0-PHP SDK 8.0.0-BETA3 to before 8.3.1.

Deserialization PHP RCE
CVE-2025-45854 CRITICAL CVSS 10.0
Unauthenticated RCE in JEHC-BPM 2.0.1 via execParams. EPSS 17.3%. PoC and patch available. CVSS 10.0.

RCE Code Injection Jehc Bpm
CVE-2025-32106 CRITICAL CVSS 9.8
Unauthenticated RCE in Audiocodes Mediapack MP-11x through 6.60A. EPSS 1.2%. PoC available.

Authentication Bypass Mp 114 Firmware Mp 118 Firmware Mp 112 Firmware
CVE-2025-32105 CRITICAL CVSS 9.8
Buffer overflow in Sangoma IMG2020 HTTP server through 2.3.9.6. EPSS 0.74%. PoC available.

Buffer Overflow RCE Img2020 Firmware
CVE-2025-27038 HIGH CVSS 7.5
Qualcomm Adreno GPU drivers in Chrome contain a use-after-free vulnerability (CVE-2025-27038, CVSS 7.5) enabling memory corruption during graphics rendering. KEV-listed, this vulnerability can be triggered through Chrome on Android devices with Qualcomm chipsets, providing a kernel-level exploitation path from web content.

Memory Corruption Google Denial Of Service Fastconnect 7800 Firmware Smart Audio 400 Platform Firmware
CVE-2025-25022 CRITICAL CVSS 9.6
Credential exposure in IBM QRadar Suite 1.10.12.0-1.11.2.0.

Information Disclosure IBM Cloud Pak For Security Qradar Suite
CVE-2025-23097 CRITICAL CVSS 9.1
OOB write in Samsung Exynos 1380 processor.

Buffer Overflow Samsung Exynos 1380 Firmware
CVE-2025-21480 HIGH CVSS 8.6
Qualcomm GPU micronode contains a memory corruption vulnerability (CVE-2025-21480, CVSS 8.6) caused by unauthorized command execution during specific GPU command sequences. KEV-listed, this vulnerability enables privilege escalation from the GPU context, potentially allowing app-level attackers to gain kernel access through the GPU driver on Qualcomm-based Android devices.

Memory Corruption Command Injection RCE Wsa8832 Firmware Fastconnect 6700 Firmware
CVE-2025-21479 HIGH CVSS 8.6
A second Qualcomm GPU micronode memory corruption vulnerability (CVE-2025-21479, CVSS 8.6) exists in the unauthorized command execution path during specific GPU command sequences. KEV-listed alongside CVE-2025-21480, this indicates a systemic issue in Qualcomm's GPU micronode command validation that is being actively exploited in mobile attack chains.

Memory Corruption Command Injection RCE Wcn7881 Firmware Snapdragon 888 5g Mobile Platform Firmware
CVE-2025-5419 HIGH CVSS 8.8
Chrome's V8 JavaScript engine contains an out-of-bounds read and write vulnerability (CVE-2025-5419, CVSS 8.8) enabling remote heap corruption through crafted HTML pages. KEV-listed with EPSS 3.0% and public PoC, this vulnerability provides both read and write primitives in V8's heap, making it highly reliable for exploitation.

Google Heap Overflow Memory Corruption Chrome Edge Chromium
CVE-2025-4797 CRITICAL CVSS 9.8
Auth bypass account takeover in Golo City Travel Guide WordPress theme.

WordPress Privilege Escalation
CVE-2025-4517 CRITICAL CVSS 9.4
Path traversal in Python tarfile extraction with filter='data'.

Python Path Traversal RCE Redhat Suse
CVE-2025-48999 HIGH CVSS 8.8
Critical authentication bypass vulnerability in DataEase (open-source BI/data visualization tool) versions prior to 2.10.10 that allows authenticated attackers to bypass input validation filters introduced in CVE-2025-46566's patch. By crafting malicious payloads that exploit `getUrlType()` logic to evade hostname filtering, attackers can construct arbitrary JDBC statements, leading to complete compromise of confidentiality, integrity, and availability. This is a patch bypass vulnerability with authenticated access required but severe impact potential; patch version 2.10.10 is available.

Authentication Bypass Dataease
CVE-2025-48998 HIGH CVSS 8.8
Critical authentication bypass vulnerability in DataEase (open-source BI/data visualization tool) affecting versions prior to 2.10.6, which allows authenticated users to read and deserialize arbitrary files through JDBC background connections. This represents a bypass of the patch for CVE-2025-27103, escalating the risk from the original vulnerability. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid credentials (PR:L). No public exploit code availability or active KEV listing has been confirmed, but the patch availability (v2.10.10) indicates vendor acknowledgment of active exploitation risk.

Authentication Bypass Dataease
CVE-2025-48997 HIGH CVSS 8.7
Denial of Service vulnerability in Multer (Node.js multipart form-data middleware) affecting versions 1.4.4-lts.1 through 2.0.0 where an attacker can crash the application process by uploading a file with an empty string field name, triggering an unhandled exception. The vulnerability has a CVSS score of 8.7 indicating high severity, though the impact is limited to availability (DoS) rather than confidentiality or integrity. No active exploitation or public POC has been confirmed at this time, but the low attack complexity and network accessibility make this a practical DoS vector for any exposed Multer instance.

Node.js Denial Of Service Express Redhat
CVE-2025-48950 HIGH CVSS 8.8
MaxKB prior to version 1.10.8-lts contains an incomplete sandbox implementation that only blacklists binary execution in common system directories (/bin, /usr/bin, etc.), allowing local attackers with low privileges to execute arbitrary code via executable files in non-blacklisted directories and achieve full system compromise. The vulnerability affects enterprise AI assistant deployments and has a high CVSS score of 8.8 reflecting significant impact potential; exploitation requires local access but no user interaction.

Information Disclosure Maxkb
CVE-2025-46355 HIGH CVSS 7.3
PC Time Tracer versions prior to 5.2 contain an incorrect default permissions vulnerability (CWE-276) that allows local authenticated attackers to execute arbitrary code with SYSTEM privileges on Windows systems. The vulnerability requires local access and user interaction but provides complete system compromise capability. No KEV/CISA known exploited vulnerability status or public POC availability is confirmed from the provided data, though the CVSS 7.3 score and EPSS analysis should be monitored for exploitation likelihood.

RCE Privilege Escalation Windows
CVE-2025-46154 HIGH CVSS 8.4
Foxcms v1.25 contains a SQL time-based injection vulnerability in the installdb.php installation script, specifically in the $_POST['dbname'] parameter, allowing unauthenticated local attackers to execute arbitrary SQL commands and fully compromise database confidentiality, integrity, and availability. With a CVSS score of 8.4 and local attack vector, this vulnerability poses a significant risk during initial application deployment; exploitation status and POC availability should be confirmed against current threat intelligence feeds, though the high CVSS and local-only requirement suggests moderate real-world impact depending on deployment model.

PHP SQLi Foxcms
CVE-2025-36564 HIGH CVSS 7.8
Dell Encryption Admin Utilities versions prior to 11.10.2 contain an Improper Link Resolution vulnerability (CWE-61) that allows a local user with limited privileges to escalate their permissions to higher levels without user interaction. The vulnerability has a CVSS score of 7.8 (High) with local attack vector and low attack complexity, indicating straightforward exploitation by unprivileged local users. No active exploitation in the wild has been confirmed at this time, but the local privilege escalation nature and availability of detailed CVE information presents a meaningful post-patch exploitation risk.

Privilege Escalation Dell Encryption
CVE-2025-35036 HIGH CVSS 7.3
A information disclosure vulnerability (CVSS 7.3) that allows an attacker. High severity vulnerability requiring prompt remediation. Vendor patch is available.

RCE Java Hibernate Validator Redhat
CVE-2025-31359 HIGH CVSS 8.8
Directory traversal vulnerability in Parallels Desktop for Mac version 20.2.2 (build 55879) affecting the PVMP package unpacking functionality. An authenticated local attacker with limited privileges can exploit this flaw to write arbitrary files to the system, potentially achieving privilege escalation with high impact on confidentiality, integrity, and availability. The vulnerability requires local access and user interaction is not needed, making it a significant risk for multi-user or shared Mac environments.

Privilege Escalation Path Traversal Parallels Desktop
CVE-2025-30167 HIGH CVSS 7.3
A security vulnerability in Jupyter Core (CVSS 7.3) that allows users. High severity vulnerability requiring prompt remediation.

Microsoft Authentication Bypass Jupyter Core Windows Suse
CVE-2025-27031 HIGH CVSS 7.8
Use-after-free memory corruption vulnerability in IOCTL command processing that occurs when buffers in write loopback mode are accessed after being freed. This local privilege escalation affects authenticated users (PR:L) on affected systems and can enable attackers to achieve confidentiality, integrity, and availability compromise (C:H/I:H/A:H). The vulnerability requires local access and low complexity exploitation, making it a significant risk for multi-user systems or systems where local code execution is possible.

Use After Free Memory Corruption Denial Of Service Wcd9375 Firmware Wsa8840 Firmware
CVE-2025-27029 HIGH CVSS 7.5
Network-accessible denial-of-service vulnerability in tone measurement response buffer processing that occurs when buffer contents fall outside expected range parameters, resulting in application/service crashes. The vulnerability affects systems implementing tone measurement protocols with improper input validation on buffer boundaries. An unauthenticated remote attacker can trigger this vulnerability with minimal complexity, causing service unavailability; however, without CVE details indicating active KEV status or public PoC availability, real-world exploitation likelihood remains moderate despite the high CVSS 7.5 score.

Buffer Overflow Denial Of Service Immersive Home 326 Platform Firmware Qca8112 Firmware Qca8085 Firmware
CVE-2025-25021 HIGH CVSS 7.2
CVE-2025-25021 is a security vulnerability (CVSS 7.2) that allows a privileged execute code. High severity vulnerability requiring prompt remediation.

RCE IBM Privilege Escalation Qradar Suite Cloud Pak For Security
CVE-2025-23107 HIGH CVSS 8.6
Critical out-of-bounds write vulnerability in Samsung's Exynos 1480 and 2400 mobile processors caused by insufficient length validation. This vulnerability affects Samsung Galaxy devices and other OEM devices utilizing these SoCs, allowing remote, unauthenticated attackers to execute code with high integrity impact and potential system compromise. The high CVSS score of 8.6 reflects the network-exploitable nature and lack of authentication requirements, though real-world exploitation depends on the specific attack surface exposed in affected device implementations.

Buffer Overflow Samsung Exynos 1480 Firmware Exynos 2400 Firmware
CVE-2025-23103 HIGH CVSS 8.6
CVE-2025-23103 is an out-of-bounds write vulnerability in Samsung's Exynos 1480 and 2400 mobile processors caused by insufficient length validation, allowing remote unauthenticated attackers to achieve high confidentiality impact with medium integrity and availability impact. The vulnerability has a CVSS score of 8.6 with low attack complexity and no privilege requirements, making it a significant risk to Samsung Galaxy devices using these processors; exploitation status and active use in the wild have not been confirmed at this time.

Buffer Overflow Samsung Exynos 2400 Firmware Exynos 1480 Firmware
CVE-2025-23102 HIGH CVSS 8.8
Double-free vulnerability in Samsung's Exynos mobile processors (models 980, 990, 1080, 2100, 1280, 2200, 1380, 1480, and 2400) that enables privilege escalation. An authenticated attacker with local access can trigger the memory corruption flaw to gain elevated privileges on affected devices. With a CVSS score of 8.8 and network accessibility (AV:N), this represents a critical risk for Samsung mobile device users, particularly if the vulnerability is actively exploited in-the-wild.

Privilege Escalation Samsung Memory Corruption Exynos 1080 Firmware Exynos 990 Firmware
CVE-2025-23100 HIGH CVSS 7.5
NULL pointer dereference vulnerability in Samsung's Exynos mobile processors (models 1280, 2200, 1380, 1480, 2400) that allows unauthenticated remote attackers to trigger a denial of service condition without user interaction. The vulnerability has a CVSS 3.1 score of 7.5 (High) with network-based attack vector and high availability impact, though no integrity or confidentiality compromise occurs. Exploitation likelihood and active weaponization status cannot be confirmed without KEV catalog verification and public exploit availability data.

Null Pointer Dereference Denial Of Service Samsung Exynos 1480 Firmware Exynos 2400 Firmware
CVE-2025-23098 HIGH CVSS 7.8
Use-After-Free (UAF) vulnerability in Samsung's Exynos mobile processors (980, 990, 1080, 2100, 1280, 2200, 1380) that enables local privilege escalation. An authenticated attacker with local access can exploit this memory safety flaw to gain elevated privileges on affected devices. The vulnerability has a CVSS 3.1 score of 7.8 (High), reflecting high impact on confidentiality, integrity, and availability, though exploitation requires local access and existing user-level privileges.

Use After Free Privilege Escalation Samsung Exynos 1380 Firmware Exynos 2100 Firmware
CVE-2025-21486 HIGH CVSS 7.8
Memory corruption vulnerability in dynamic process creation functionality that occurs when a client passes only the address and length of a shell binary without proper validation or bounds checking. This vulnerability affects local attackers with limited user privileges who can exploit the memory corruption to achieve arbitrary code execution with full system impact (confidentiality, integrity, and availability compromise). The vulnerability requires local access and low complexity exploitation, making it a significant risk for multi-user systems; KEV and active exploitation status are not confirmed in available data, but the high CVSS score (7.8) and memory corruption nature suggest this warrants urgent patching.

Buffer Overflow Memory Corruption Denial Of Service Wcn7860 Firmware Sm8750 Firmware
CVE-2025-21485 HIGH CVSS 7.8
Memory corruption vulnerability in Qualcomm's FastRPC implementation that affects local privilege escalation through malformed INIT and multimode invoke IOCTL calls. An attacker with local access and basic user privileges can trigger memory corruption to achieve code execution with elevated privileges, potentially compromising system integrity and confidentiality. The vulnerability carries a CVSS 7.8 score indicating high severity, though exploitation requires local access and authenticated session context.

Buffer Overflow Memory Corruption Denial Of Service Wsa8835 Firmware Qmp1000 Firmware
CVE-2025-21463 HIGH CVSS 7.5
Transient denial-of-service vulnerability in wireless beacon frame processing that occurs when a device receives a malformed EHT (Extremely High Throughput) operation information element. An unauthenticated remote attacker can trigger a temporary service disruption by sending a specially crafted beacon frame, affecting WiFi 6E and later devices. With a CVSS score of 7.5 and high availability impact, this vulnerability requires no user interaction and is network-accessible, making it a notable threat to wireless infrastructure and client devices, though there is currently no evidence of active exploitation in the wild.

Information Disclosure Qcn6024 Firmware Qca6696 Firmware Snapdragon X65 5g Modem Rf System Firmware Sa7775p Firmware
CVE-2025-5527 HIGH CVSS 8.8
Critical stack-based buffer overflow vulnerability in Tenda RX3 router firmware version 16.03.13.11_multi_TDE01, affecting the static route configuration endpoint. An authenticated remote attacker can exploit this vulnerability through manipulation of the 'list' argument in /goform/SetStaticRouteCfg to achieve code execution with full system privileges (confidentiality, integrity, and availability impact). Public exploit code exists and the vulnerability has been disclosed, creating immediate exploitation risk despite requiring authenticated access.

Buffer Overflow Rx3 Firmware Tenda
CVE-2025-5522 HIGH CVSS 7.3
Critical improper authorization vulnerability in the bskms 蓝天幼儿园管理系统 (Lantian Kindergarten Management System) affecting the /sa/addUser endpoint of the User Creation Handler component. The vulnerability allows unauthenticated remote attackers to bypass authorization controls and manipulate user creation functionality, potentially leading to unauthorized account creation, privilege escalation, or data compromise. The exploit has been publicly disclosed with proof-of-concept code available, and the affected product uses continuous delivery with rolling releases, making precise version tracking difficult.

Authentication Bypass Privilege Escalation
CVE-2025-5512 HIGH CVSS 7.3
A security vulnerability in quequnlong shiyi-blog (CVSS 7.3). Risk factors: public PoC available.

Authentication Bypass PHP Shiyi Blog
CVE-2025-5503 HIGH CVSS 8.8
A buffer overflow vulnerability (CVSS 8.8). Risk factors: public PoC available.

Buffer Overflow X15 Firmware TOTOLINK
CVE-2025-5499 HIGH CVSS 7.3
Critical remote code execution vulnerability in slackero phpwcms affecting versions up to 1.9.45 and 1.10.8. The vulnerability exists in the image_resized.php file where unsanitized input to the 'imgfile' parameter is passed to PHP's is_file() and getimagesize() functions, leading to unsafe deserialization. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with a CVSS score of 7.3; the vulnerability has been publicly disclosed with working exploits available, making active exploitation highly probable.

Deserialization PHP Phpwcms
CVE-2025-5495 HIGH CVSS 7.3
Critical authentication bypass vulnerability in Netgear WNR614 version 1.1.0.28_1.0.1WW that allows unauthenticated remote attackers to access sensitive configuration files through null-byte injection in the URL handler. The vulnerability affects the %00currentsetting.htm endpoint, enabling attackers to retrieve or modify device settings without credentials. This 0day has been publicly disclosed with proof-of-concept code available, and CVSS 7.3 reflects moderate confidentiality, integrity, and availability impact across network-accessible administration functions.

Authentication Bypass Netgear Path Traversal Wnr614 Firmware
CVE-2025-5068 HIGH CVSS 8.8
A security vulnerability in Blink in Google Chrome (CVSS 8.8). High severity vulnerability requiring prompt remediation.

Use After Free Memory Corruption Google Heap Overflow Chrome
CVE-2025-4435 HIGH CVSS 7.5
Logic flaw in Python's TarFile module where the documented behavior of errorlevel=0 (skip filtered members) contradicts the actual implementation (extract filtered members anyway). This affects any application using Python's tarfile library with extraction filters, allowing attackers to extract files that should be blocked, potentially leading to path traversal or extraction of malicious content. The vulnerability has a high CVSS score (7.5) with network-accessible attack vector and no authentication required, though exploitation requires the application to implement extraction filters expecting them to be respected.

Python Path Traversal Redhat Suse
CVE-2025-4392 HIGH CVSS 7.2
A cross-site scripting vulnerability in Secure File Sharing (CVSS 7.2). High severity vulnerability requiring prompt remediation.

WordPress XSS PHP
CVE-2025-4330 HIGH CVSS 7.5
Path traversal vulnerability in Python's tarfile module extraction filters that allows attackers to bypass the 'data' and 'tar' filter protections, enabling symlink targets to point outside the extraction directory and permitting modification of file metadata. This affects any application using TarFile.extractall() or TarFile.extract() with filter='data' or filter='tar' on untrusted tar archives, as well as Python 3.14+ users relying on the new 'data' default filter. The vulnerability has a CVSS score of 7.5 (High) with high integrity impact, though exploitation requires an attacker to control the tar archive contents.

Python Path Traversal Information Disclosure RCE Redhat
CVE-2025-4224 HIGH CVSS 7.2
A cross-site scripting vulnerability in wpForo Advanced Attachments (CVSS 7.2). High severity vulnerability requiring prompt remediation.

WordPress XSS PHP
CVE-2025-4138 HIGH CVSS 7.5
CVE-2025-4138 is a security vulnerability (CVSS 7.5) that allows the extraction filter. High severity vulnerability requiring prompt remediation.

Python Path Traversal Information Disclosure RCE Redhat
CVE-2024-54189 HIGH CVSS 7.8
Privilege escalation vulnerability in Parallels Desktop for Mac version 20.1.1 (build 55740) where the snapshot functionality allows a local attacker with user-level privileges to write arbitrary files via hard link exploitation of a root-owned process. An attacker can leverage this to escalate privileges from a normal user to root, potentially achieving full system compromise. The vulnerability has a CVSS score of 7.8 (high severity) and requires local access with low complexity.

Privilege Escalation Parallels Desktop
CVE-2024-53026 HIGH CVSS 8.2
CVE-2024-53026 is an information disclosure vulnerability in IMS (IP Multimedia Subsystem) implementations affecting VoLTE and VoWiFi call processing. When a malicious or malformed RTCP (Real-time Transport Control Protocol) packet is received during an active call, the vulnerable system leaks sensitive information to a network-adjacent attacker without requiring authentication or user interaction. The CVSS 8.2 rating reflects high confidentiality impact with partial availability degradation; exploitation likelihood and real-world activity status require cross-referencing with EPSS and KEV data.

Information Disclosure Wcd9335 Firmware Sm7325p Firmware Qcn9274 Firmware Sa6155 Firmware
CVE-2024-53021 HIGH CVSS 8.2
CVE-2024-53021 is an information disclosure vulnerability in RTCP (Real-time Transport Control Protocol) packet processing that allows unauthenticated remote attackers to leak sensitive data through malicious goodbye (BYE) RTCP packets. The vulnerability affects multiple VoIP and real-time communication products processing RTCP traffic; attackers can extract confidential information across the network without authentication or user interaction, and may also cause limited availability impact. The high CVSS score of 8.2 reflects the severe confidentiality impact and network-based attack vector, though exploitation complexity is low.

Information Disclosure Qcn9011 Firmware Wcn7860 Firmware Wcd9340 Firmware Wcn6450 Firmware
CVE-2024-53020 HIGH CVSS 8.2
CVE-2024-53020 is an information disclosure vulnerability in RTP (Real-time Transport Protocol) packet processing that occurs when decoding packets with malformed header extensions. An attacker on the network can send specially crafted RTP packets to trigger memory disclosure, potentially exposing sensitive information while also causing minor availability impact. The vulnerability affects multiple implementations of RTP protocol handling across various media processing frameworks and VoIP applications; while there is no confirmed active KEV status or public exploit code documented, the high CVSS score (8.2) combined with network accessibility (CVSS:3.1/AV:N) indicates significant real-world risk to exposed services.

Information Disclosure Sa8650p Firmware Apq8017 Firmware Qamsrv1h Firmware Wcn3610 Firmware
CVE-2024-53019 HIGH CVSS 8.2
Network-based information disclosure vulnerability in RTP (Real-time Transport Protocol) packet decoding that occurs when the CSRC (Contributing Source) count header field is improperly validated, allowing an attacker to read sensitive memory contents. The vulnerability affects any system processing RTP streams with malformed headers and has a high CVSS score of 8.2 due to the combination of high confidentiality impact and network accessibility without authentication; no patch availability, KEV status, EPSS score, or active exploitation details are currently documented.

Information Disclosure Wsa8840 Firmware Fastconnect 7800 Firmware Sm7675p Firmware Sm8635p Firmware
CVE-2024-53010 HIGH CVSS 7.8
Memory corruption vulnerability in Qualcomm's Virtual Machine (VM) attachment mechanism that occurs when the Host Linux OS (HLOS) retains access to a VM during attachment operations. This local privilege escalation vulnerability affects Qualcomm System-on-Chip (SoC) implementations and allows a local attacker with user-level privileges to achieve code execution with full system compromise (confidentiality, integrity, and availability impact). The vulnerability has not been reported as actively exploited in the KEV catalog, but the high CVSS score (7.8) and local attack vector indicate significant real-world risk for deployed Qualcomm-based devices.

VMware Memory Corruption Denial Of Service Qca8081 Firmware Qcn9011 Firmware
CVE-2024-52561 HIGH CVSS 7.8
Privilege escalation vulnerability in Parallels Desktop for Mac version 20.1.1 (build 55740) affecting the Snapshot deletion functionality. A local attacker with standard user privileges can exploit a symlink race condition to manipulate root-owned snapshot files, escalating privileges to root. The vulnerability has a CVSS score of 7.8 (high severity) with low attack complexity, and while specific KEV/EPSS data is not provided, the low complexity and local attack vector suggest moderate real-world exploitation probability.

Privilege Escalation Parallels Desktop
CVE-2024-36486 HIGH CVSS 7.8
Privilege escalation vulnerability in Parallels Desktop for Mac 20.1.1 that allows a local attacker with user-level privileges to gain root-level code execution through a hard link attack during virtual machine archive restoration. The prl_vmarchiver tool operates with root privileges during decompression and file restoration, enabling an attacker to redirect writes to arbitrary system files. This vulnerability has a CVSS score of 7.8 (High) with low attack complexity, making it a practical privilege escalation vector for local users on affected systems.

Privilege Escalation Parallels Desktop
CVE-2025-49164 MEDIUM CVSS 4.3
CVE-2025-49164 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-49163 MEDIUM CVSS 6.7
CVE-2025-49163 is a security vulnerability (CVSS 6.7) that allows booting an arbitrary image. Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-49162 MEDIUM CVSS 6.4
CVE-2025-49162 is a security vulnerability (CVSS 6.4) that allows file overwrite. Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-48953 MEDIUM CVSS 5.5
Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that doesn't adhere with the configured allowable file extensions via a manipulated API request. The issue is patched in versions 15.4.2 and 16.0.0. No known workarounds are available.

File Upload Umbraco Cms
CVE-2025-46548 MEDIUM CVSS 6.5
If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.

Java Authentication Bypass Akka Management Pekko Management
CVE-2025-45855 MEDIUM CVSS 5.4
An arbitrary file upload vulnerability in the component /upload/GoodsCategory/image of erupt v1.12.19 allows attackers to execute arbitrary code via uploading a crafted file.

File Upload RCE Erupt
CVE-2025-43925 MEDIUM CVSS 4.6
An issue was discovered in Unicom Focal Point 7.6.1. The database is encrypted with a hardcoded key, making it easier to recover the cleartext data.

Information Disclosure Focal Point
CVE-2025-43924 MEDIUM CVSS 6.1
Cross Site Scripting vulnerability was discovered in Unicom Focal Point 7.6.1. The val parameter in SettingController (for /fp/admin/settings/loginpage) and the rootserviceurl parameter in FriendsController (for /fp/admin/settings/friends), entered by an admin, allow stored XSS.

XSS Focal Point
CVE-2025-43923 MEDIUM CVSS 6.5
An issue was discovered in ReportController in Unicom Focal Point 7.6.1. A user who has administrative privilege in Focal Point can perform SQL injection via the image parameter during a delete report image operation.

SQLi Focal Point
CVE-2025-41428 MEDIUM CVSS 5.3
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in TimeWorks 10.0 to 10.3. If exploited, arbitrary JSON files on the server may be viewed by a remote unauthenticated attacker.

Path Traversal
CVE-2025-31712 MEDIUM CVSS 5.1
In cplog service, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with no additional execution privileges needed.

Buffer Overflow Denial Of Service Android Google
CVE-2025-31711 MEDIUM CVSS 5.1
In cplog service, there is a possible system crash due to null pointer dereference. This could lead to local denial of service with no additional execution privileges needed.

Null Pointer Dereference Denial Of Service Android Google
CVE-2025-31710 MEDIUM CVSS 5.9
In engineermode service, there is a possible command injection due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed.

Privilege Escalation Command Injection Android Google
CVE-2025-30360 MEDIUM CVSS 6.5
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.

Information Disclosure Google Webpack Dev Server Chrome Redhat
CVE-2025-30359 MEDIUM CVSS 5.3
A remote code execution vulnerability in webpack-dev-server (CVSS 5.3) that allows users. Risk factors: public PoC available. Vendor patch is available.

Code Injection Webpack Dev Server Redhat
CVE-2025-25020 MEDIUM CVSS 6.5
IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an authenticated user to cause a denial of service due to improperly validating API data input.

Denial Of Service IBM Qradar Suite Cloud Pak For Security
CVE-2025-25019 MEDIUM CVSS 4.8
IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 does not invalidate session after a logout which could allow a user to impersonate another user on the system.

Information Disclosure IBM Cloud Pak For Security Qradar Suite
CVE-2025-24015 MEDIUM CVSS 5.3
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removing integrity protection. Authenticated data set with set_aad is also affected, as it is incorporated into the GCM hash (ghash) but this too is not validated, rendering AAD checks ineffective. Version 2.1.7 includes a patch that addresses this issue.

Node.js Information Disclosure Deno Suse
CVE-2025-5544 MEDIUM CVSS 4.3
A vulnerability was found in aaluoxiang oa_system up to 5b445a6227b51cee287bd0c7c33ed94b801a82a5. It has been rated as problematic. Affected by this issue is the function image of the file src/main/java/cn/gson/oasys/controller/user/UserpanelController.java. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

Java Path Traversal Oa System
CVE-2025-5525 MEDIUM CVSS 5.6
A vulnerability was found in Jrohy trojan up to 2.15.3. It has been declared as critical. This vulnerability affects the function LogChan of the file trojan/util/linux.go. The manipulation of the argument c leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

Command Injection Trojan
CVE-2025-5521 MEDIUM CVSS 4.3
A vulnerability was found in WuKongOpenSource WukongCRM 9.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /system/user/updataPassword. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CSRF Wukongcrm
CVE-2025-5520 MEDIUM CVSS 5.3
A vulnerability was found in Open5GS up to 2.7.3. It has been classified as problematic. Affected is the function gmm_state_authentication/emm_state_authentication of the component AMF/MME. The manipulation leads to reachable assertion. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 9f5d133657850e6167231527514ee1364d37a884. It is recommended to apply a patch to fix this issue. This is a different issue than CVE-2025-1893.

Denial Of Service Debian Open5gs
CVE-2025-5515 MEDIUM CVSS 6.3
A vulnerability, which was classified as critical, has been found in TOTOLINK X2000R 1.0.0-B20230726.1108. Affected by this issue is some unknown functionality of the file /boafrm/formMapDel. The manipulation of the argument devicemac1 leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection X2000r Firmware TOTOLINK
CVE-2025-5511 MEDIUM CVSS 5.3
A security vulnerability in quequnlong shiyi-blog (CVSS 5.3). Risk factors: public PoC available.

Information Disclosure Shiyi Blog
CVE-2025-5510 MEDIUM CVSS 6.3
A vulnerability classified as critical was found in quequnlong shiyi-blog up to 1.2.1. This vulnerability affects unknown code of the file /app/sys/article/optimize. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

SSRF Shiyi Blog
CVE-2025-5509 MEDIUM CVSS 6.3
A vulnerability classified as critical has been found in quequnlong shiyi-blog up to 1.2.1. This affects an unknown part of the file /api/file/upload. The manipulation of the argument file/source leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Path Traversal Shiyi Blog
CVE-2025-5504 MEDIUM CVSS 6.3
A vulnerability has been found in TOTOLINK X2000R 1.0.0-B20230726.1108 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formWsc. The manipulation of the argument peerRptPin leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection X2000r Firmware TOTOLINK
CVE-2025-5502 MEDIUM CVSS 6.3
A vulnerability, which was classified as critical, has been found in TOTOLINK X15 1.0.0-B20230714.1105. Affected by this issue is the function formMapReboot of the file /boafrm/formMapReboot. The manipulation of the argument deviceMacAddr leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Command Injection X15 Firmware TOTOLINK
CVE-2025-5501 MEDIUM CVSS 5.3
A vulnerability classified as problematic was found in Open5GS up to 2.7.3. Affected by this vulnerability is the function ngap_handle_path_switch_request_transfer of the file src/smf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to reachable assertion. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named 2daa44adab762c47a8cef69cc984946973a845b3. It is recommended to apply a patch to fix this issue.

Denial Of Service Debian Open5gs
CVE-2025-5498 MEDIUM CVSS 5.5
A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.

Deserialization PHP Phpwcms
CVE-2025-5497 MEDIUM CVSS 6.3
A vulnerability was detected in slackero phpwcms up to 1.9.45/1.10.8. The impacted element is an unknown function of the file include/inc_module/mod_feedimport/inc/processing.inc.php of the component Feedimport Module. Performing manipulation of the argument cnt_text results in deserialization. The attack can be initiated remotely. The exploit is now public and may be used. Upgrading to version 1.9.46 and 1.10.9 is sufficient to resolve this issue. The patch is named 41a72eca0baa9d9d0214fec97db2400bc082d2a9. It is recommended to upgrade the affected component.

Deserialization PHP Phpwcms
CVE-2025-5493 MEDIUM CVSS 6.3
A vulnerability was found in Baison Channel Middleware Product 2.0.1 and classified as critical. Affected by this issue is some unknown functionality of the file /e3api/api/main/ToJsonByControlName. The manipulation of the argument data leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

SQLi Channel Middleware Product
CVE-2025-5492 MEDIUM CVSS 6.3
A vulnerability has been found in D-Link DI-500WF-WT up to 20250511 and classified as critical. Affected by this vulnerability is the function sub_456DE8 of the file /msp_info.htm?flag=cmd of the component /usr/sbin/jhttpd. The manipulation of the argument cmd leads to command injection. The attack can be launched remotely.

Command Injection Di 500wf Wt Firmware D-Link
CVE-2025-5340 MEDIUM CVSS 6.4
The Music Player for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘album_buy_url’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
CVE-2025-5116 MEDIUM CVSS 6.4
The WP Plugin Info Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerid’ parameter in all versions up to, and including, 5.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue is due to an incomplete patch for CVE-2025-31835.

WordPress XSS PHP
CVE-2025-5103 MEDIUM CVSS 4.9
The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulnerable to boolean-based SQL Injection via the 'default_price' and 'product_id' parameters in all versions up to, and including, 3.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

WordPress SQLi Ultimate Gift Cards For Woocommerce PHP
CVE-2025-4671 MEDIUM CVSS 6.4
The Profile Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's user_meta and compare shortcodes in all versions up to, and including, 3.13.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
CVE-2025-4567 MEDIUM CVSS 4.8
The Post Slider and Post Carousel with Post Vertical Scrolling Widget WordPress plugin before 3.2.10 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

WordPress XSS Post Slider And Post Carousel PHP
CVE-2025-4420 MEDIUM CVSS 6.4
The Vayu Blocks - Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerWidth’ parameter in all versions up to, and including, 1.3.1 due to a missing capability check on the vayu_blocks_option_panel_callback() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
CVE-2025-4205 MEDIUM CVSS 6.4
The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘popupID' parameter in all versions up to, and including, 1.20.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
CVE-2025-4047 MEDIUM CVSS 4.3
A security vulnerability in Broken Link Checker (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

WordPress Authentication Bypass PHP
CVE-2025-3662 MEDIUM CVSS 6.1
The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS

WordPress XSS Fancybox PHP
CVE-2025-3584 MEDIUM CVSS 4.8
The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

WordPress XSS Newsletter PHP
CVE-2025-2939 MEDIUM CVSS 5.6
The Ninja Tables - Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.

Deserialization WordPress PHP Ninja Tables
CVE-2025-1725 MEDIUM CVSS 6.4
The Bit File Manager - 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

WordPress File Upload XSS PHP
CVE-2025-1334 MEDIUM CVSS 4.0
CVE-2025-1334 is a security vulnerability (CVSS 4.0) that allows web pages. Remediation should follow standard vulnerability management procedures.

Information Disclosure IBM Cloud Pak For Security Qradar Suite
CVE-2024-53018 MEDIUM CVSS 6.6
CVE-2024-53018 is a security vulnerability (CVSS 6.6). Remediation should follow standard vulnerability management procedures.

Buffer Overflow Wsa8835 Firmware Wcd9385 Firmware Wsa8830 Firmware Sw5100 Firmware
CVE-2024-53017 MEDIUM CVSS 6.6
Memory corruption while handling test pattern generator IOCTL command.

Buffer Overflow Memory Corruption Wcn3620 Firmware Wcn3660b Firmware Snapdragon 429 Mobile Platform Firmware
CVE-2024-53016 MEDIUM CVSS 6.6
CVE-2024-53016 is a security vulnerability (CVSS 6.6). Remediation should follow standard vulnerability management procedures.

Buffer Overflow Wcn3660b Firmware Wcn3980 Firmware Wsa8810 Firmware Wcd9385 Firmware
CVE-2024-53015 MEDIUM CVSS 6.6
Memory corruption while processing IOCTL command to handle buffers associated with a session.

Use After Free Buffer Overflow Memory Corruption Wcd9340 Firmware Snapdragon 480 5g Mobile Platform Firmware
CVE-2024-53013 MEDIUM CVSS 6.6
Memory corruption may occur while processing voice call registration with user.

Buffer Overflow Qca9367 Firmware Wcn3620 Firmware Wsa8810 Firmware Wsa8815 Firmware
CVE-2024-45655 MEDIUM CVSS 5.5
IBM Application Gateway 19.12 through 24.09 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment.

Authentication Bypass IBM Application Gateway
CVE-2024-12718 MEDIUM CVSS 5.3
Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.

Python RCE Path Traversal Ubuntu Debian
CVE-2025-49000 LOW CVSS 3.5
InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user trigger a denial-of-service via memory exhaustion. the issue is fixed in versions 0.17.13 and higher. No workaround is available aside from upgrading to the patched version.

Python Denial Of Service
CVE-2025-5543 LOW CVSS 2.4
A vulnerability was found in TOTOLINK X2000R 1.0.0-B20230726.1108. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Parent Controls Page. The manipulation of the argument Device Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

XSS TOTOLINK
CVE-2025-5542 LOW CVSS 2.4
A vulnerability was found in TOTOLINK X2000R 1.0.0-B20230726.1108. It has been classified as problematic. Affected is an unknown function of the file /boafrm/formPortFw of the component Virtual Server Page. The manipulation of the argument service_type leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

XSS TOTOLINK
CVE-2025-5523 LOW CVSS 3.5
A vulnerability classified as problematic has been found in enilu web-flash 1.0. This affects the function fileService.upload of the file src/main/java/cn/enilu/flash/api/controller/FileController/upload of the component File Upload. The manipulation of the argument File leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

File Upload Java XSS
CVE-2025-5516 LOW CVSS 2.4
A vulnerability, which was classified as problematic, was found in TOTOLINK X2000R 1.0.0-B20230726.1108. This affects an unknown part of the file /boafrm/formFilter of the component URL Filtering Page. The manipulation of the argument URL Address leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS TOTOLINK
CVE-2025-5513 LOW CVSS 3.5
A vulnerability has been found in quequnlong shiyi-blog up to 1.2.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /dev-api/api/comment/add. The manipulation of the argument content leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS
CVE-2025-5508 LOW CVSS 2.4
A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011. It has been rated as problematic. Affected by this issue is some unknown functionality of the component IP Port Filtering Page. The manipulation of the argument Comment leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS TOTOLINK
CVE-2025-5507 LOW CVSS 2.4
A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component MAC Filtering Page. The manipulation of the argument Comment leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS TOTOLINK
CVE-2025-5506 LOW CVSS 2.4
A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011. It has been classified as problematic. Affected is an unknown function of the component NAT Mapping Page. The manipulation of the argument Comment leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS TOTOLINK
CVE-2025-5505 LOW CVSS 2.4
A vulnerability was found in TOTOLINK A3002RU 2.1.1-B20230720.1011 and classified as problematic. This issue affects some unknown processing of the file /boafrm/formPortFw of the component Virtual Server Page. The manipulation of the argument service_type leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS TOTOLINK

Today's Vulnerabilities Vulnerabilities