Skip to main content
CVE-2025-5750 HIGH This Week

Heap-based buffer overflow vulnerability in WOLFBOX Level 2 EV Charger that allows network-adjacent attackers to execute arbitrary code without authentication. The flaw exists in the tuya_svc_devos_activate_result_parse function where insufficient validation of secKey, localKey, stdTimeZone, and devId parameters enables remote code execution. With a CVSS score of 8.8 and network-adjacent attack vector, this represents a critical risk for deployed EV charging infrastructure.

Buffer Overflow RCE Level 2 Ev Charger Firmware
NVD
CVSS 3.0
8.8
EPSS
0.1%
CVE-2025-33031 HIGH PATCH This Week

CVE-2025-33031 is an improper certificate validation vulnerability in Synology File Station 5 that allows authenticated remote attackers to compromise system confidentiality, integrity, and availability. An attacker with valid user credentials can exploit insufficient SSL/TLS certificate validation to perform man-in-the-middle attacks or bypass security controls. The vulnerability has a high CVSS score of 8.8 and affects all versions of File Station 5 prior to 5.5.6.4847; patches are available from Synology.

Information Disclosure File Station
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-30279 HIGH PATCH This Week

CVE-2025-30279 is an improper certificate validation vulnerability in QNAP File Station 5 that allows authenticated remote attackers to compromise system confidentiality, integrity, and availability. Affected versions are below 5.5.6.4847; the vulnerability requires valid user credentials but no user interaction, making it a significant post-authentication attack vector with a CVSS score of 8.8 indicating high severity.

Qnap Authentication Bypass File Station
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-29885 HIGH PATCH This Week

CVE-2025-29885 is an improper certificate validation vulnerability in Synology File Station 5 that allows authenticated remote attackers to compromise system confidentiality, integrity, and availability. The vulnerability affects File Station 5 versions prior to 5.5.6.4791 and requires valid user credentials to exploit. With a CVSS score of 8.8 and a low attack complexity, this represents a significant risk to organizations running vulnerable versions, though exploitation requires prior authentication.

Synology Authentication Bypass File Station
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-29884 HIGH PATCH This Week

CVE-2025-29884 is an improper certificate validation vulnerability affecting Synology File Station 5 that allows authenticated remote attackers to compromise system confidentiality, integrity, and availability. The vulnerability requires user-level access but enables complete system compromise with high impact across all security dimensions. No active KEV or public POC data is currently available, but the CVSS 8.8 score and low attack complexity indicate this should be prioritized for patching.

Synology Authentication Bypass File Station
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-29883 HIGH PATCH This Week

CVE-2025-29883 is an improper certificate validation vulnerability affecting Synology File Station 5 that allows authenticated remote attackers to compromise system security through man-in-the-middle attacks or credential harvesting. The vulnerability requires valid user credentials (PR:L) but can result in complete system compromise with high impact to confidentiality, integrity, and availability (CVSS 8.8). Patched versions are available for File Station 5 5.5.6.4791 and later.

Qnap Authentication Bypass File Station
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-22486 HIGH PATCH This Week

CVE-2025-22486 is an improper certificate validation vulnerability in Synology File Station 5 that allows authenticated remote attackers to compromise system confidentiality, integrity, and availability. The vulnerability affects File Station 5 versions prior to 5.5.6.4791, and while it requires valid user credentials (PR:L in CVSS), the lack of user interaction requirement (UI:N) and network accessibility (AV:N) make it a high-severity threat in multi-user environments. No confirmed KEV or active exploitation data is available at this time, but the high CVSS score of 8.8 and the nature of certificate validation bypass attacks warrant immediate patching.

Information Disclosure File Station
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-29892 HIGH PATCH This Week

SQL injection vulnerability in Qsync Central that allows authenticated remote attackers to execute arbitrary code or commands with high impact on confidentiality, integrity, and availability. The vulnerability affects all versions prior to Qsync Central 4.5.0.6 (released 2025/03/20), and while no active KEV or public PoC is explicitly referenced in the provided data, the high CVSS score of 8.8 combined with low attack complexity and low privilege requirements indicates this is a serious, readily exploitable vulnerability that should be prioritized for patching.

SQLi Qnap RCE Qsync Central
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-49288 HIGH This Week

Missing Authorization vulnerability in Rustaurius Ultimate WP Mail allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate WP Mail: from n/a through 1.3.5.

Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-2766 HIGH This Week

Critical authentication bypass vulnerability in the 70mai A510 dashcam that exploits default credentials in the device's user account configuration. Network-adjacent attackers can bypass authentication without any credentials and achieve remote code execution with root privileges. This vulnerability presents an immediate and severe risk due to its low attack complexity, lack of user interaction requirement, and the widespread deployment of 70mai dashcams in vehicles.

RCE Authentication Bypass A510 Firmware
NVD
CVSS 3.0
8.8
EPSS
0.0%
CVE-2025-48906 HIGH This Week

CVE-2025-48906 is an authentication bypass vulnerability in the DSoftBus module that allows unauthenticated attackers on the local network to completely compromise system confidentiality, integrity, and availability without user interaction. The vulnerability affects DSoftBus implementations across multiple platforms with a CVSS score of 8.8, indicating critical severity with high exploitability potential on adjacent networks.

Authentication Bypass Denial Of Service Harmonyos
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-5749 HIGH This Week

Critical authentication bypass vulnerability in WOLFBOX Level 2 EV Charger devices caused by uninitialized cryptographic key variables in BLE vendor-specific encrypted communications. Network-adjacent attackers can completely bypass authentication without credentials, gaining full system access (confidentiality, integrity, and availability compromise). The vulnerability (CVSS 8.8) affects encrypted BLE communications and represents a significant risk to EV charging infrastructure security, though real-world exploitation likelihood depends on proximity requirements and patch availability from WOLFBOX.

Authentication Bypass Level 2 Ev Charger Firmware
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-41360 HIGH PATCH This Week

CVE-2025-41360 is an uncontrolled resource consumption vulnerability affecting IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04 that enables remote denial of service through packet flooding attacks. The vulnerability allows unauthenticated network attackers to exhaust device resources with minimal complexity, resulting in service unavailability. The high CVSS score of 8.7 reflects the critical availability impact, though exploitation requires network access and no privilege escalation is possible.

Denial Of Service
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-47584 HIGH This Week

A deserialization vulnerability in ThemeGoods Photography (CVSS 8.5). High severity vulnerability requiring prompt remediation.

Deserialization Photography
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-49323 HIGH This Week

SQL injection vulnerability in Themefic Hydra Booking plugin versions through 1.1.10 that allows authenticated attackers to execute arbitrary SQL queries. An attacker with user-level privileges can manipulate SQL commands to extract sensitive database information, bypass authentication, or modify data without user interaction. This vulnerability has a CVSS score of 8.5 (High) and represents a significant risk to WordPress installations using affected versions of the plugin.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-41361 HIGH PATCH This Week

A remote code execution vulnerability in IDF (CVSS 8.3). High severity vulnerability requiring prompt remediation.

Denial Of Service TLS IoT
NVD
CVSS 4.0
8.3
EPSS
0.1%
CVE-2025-28986 HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin versions up to 1.5 allows unauthenticated attackers to perform unauthorized actions via crafted requests. While the CVE description anomalously mentions SQL Injection alongside CSRF, the CVSS vector (CWE-352: CSRF) and vector string indicate the primary threat is CSRF with consequential impacts on confidentiality (High) and availability (Low). The vulnerability requires user interaction (UI:R) and affects confidentiality significantly, making it a material risk for WordPress installations using this plugin, particularly if no active mitigation or patch is available.

CSRF SQLi
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-48911 HIGH This Week

CVE-2025-48911 is an improper permission assignment vulnerability in a note sharing module that allows local attackers with user interaction to compromise system availability and potentially access sensitive information. The vulnerability has a CVSS score of 8.2 (High) with a broad scope impact, though specific affected products, patch status, and exploitation telemetry are not provided in the available intelligence sources. Without KEV confirmation or EPSS data, the real-world exploitation risk cannot be definitively assessed, but the local attack vector and user interaction requirement suggest this is less critical than remote, unauthenticated vulnerabilities.

Information Disclosure Privilege Escalation Harmonyos
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-22482 HIGH PATCH This Week

Format string vulnerability in QNAP Qsync Central that allows authenticated remote attackers to read sensitive data or modify memory without user interaction. The vulnerability affects all versions prior to Qsync Central 4.5.0.6 (released March 20, 2025), with a CVSS score of 8.1 indicating high severity. While no public exploit or KEV status is currently documented, the low attack complexity and requirement for only low-privilege user access make this a significant risk for organizations running vulnerable versions.

Information Disclosure Qnap Code Injection Qsync Central
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-48905 HIGH This Week

WebAssembly exception handling vulnerability in the arkweb v8 module that prevents proper capture of specific Wasm exception types, potentially allowing attackers to bypass security controls or trigger unexpected application behavior. The vulnerability affects arkweb's V8 integration layer and requires network access but high attack complexity to exploit. While the CVSS score of 8.1 indicates high severity with potential impacts to confidentiality, integrity, and availability, real-world exploitability depends on whether active exploitation or proof-of-concept code exists.

Information Disclosure Harmonyos
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-5748 HIGH This Week

Critical remote code execution vulnerability in WOLFBOX Level 2 EV Charger devices that exploits an exposed dangerous method in the Tuya communications module, allowing network-adjacent attackers to upload and execute arbitrary code despite authentication requirements. The authentication bypass mechanism combined with the exposed software upload functionality creates a high-severity attack path that can grant attackers complete control over affected EV charger installations. This vulnerability (formerly ZDI-CAN-26349) presents significant risk to vehicle charging infrastructure and connected IoT deployments relying on Tuya-based communication protocols.

RCE Authentication Bypass IoT Level 2 Ev Charger Firmware
NVD
CVSS 3.0
8.0
EPSS
0.2%
CVE-2025-5747 HIGH This Week

Remote code execution vulnerability in WOLFBOX Level 2 EV Charger devices caused by improper frame parsing in the Microcontroller Unit (MCU) firmware. Network-adjacent attackers with valid authentication credentials can exploit a frame start detection flaw to misinterpret command input and execute arbitrary code with full device privileges. While no public exploit code or active KEV listing is confirmed from the provided data, the CVSS 8.0 score and requirement for authentication (not public network access) suggest moderate real-world exploitability; however, this should be verified against EPSS scores and vendor advisories for actual threat intelligence integration.

RCE Level 2 Ev Charger Firmware
NVD
CVSS 3.0
8.0
EPSS
0.1%
CVE-2025-5806 HIGH PATCH This Week

A cross-site scripting vulnerability (CVSS 8.0). High severity vulnerability requiring prompt remediation.

XSS Jenkins Java Gatling
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-5481 HIGH This Week

Out-of-bounds write vulnerability in Sante DICOM Viewer Pro's DCM file parsing that allows remote code execution with high severity (CVSS 7.8). The vulnerability affects users who open malicious DICOM files, enabling attackers to execute arbitrary code in the application's process context. This is a user-interaction-dependent vulnerability with local attack vector, but the ability to trigger RCE via file opening makes it practically significant for targeted attacks.

Buffer Overflow RCE Dicom Viewer Pro
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2025-38000 HIGH PATCH This Week

Use-after-free vulnerability in the Linux kernel's HFSC (Hierarchical Fair Service Curve) queue discipline scheduler that occurs when enqueuing packets triggers a peek operation on child qdiscs before queue accounting is updated. Local attackers with unprivileged user privileges can exploit this to cause denial of service or potentially execute code with kernel privileges. The vulnerability affects Linux kernel versions with the vulnerable HFSC implementation and has a CVSS score of 7.8 (high severity) with local attack vector requirements.

Use After Free Linux Denial Of Service Linux Kernel Debian Linux +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-13088 HIGH PATCH This Week

CVE-2024-13088 is an improper authentication vulnerability (CWE-287) affecting QHora/QuRouter that allows local network attackers with low privileges to compromise system confidentiality, integrity, and availability. The vulnerability requires local network access and low privileges but no user interaction, making it a significant risk for networked environments. Patch versions QuRouter 2.5.0.140 and later are available, though KEV/EPSS data and active exploitation status are not confirmed in the provided intelligence.

Authentication Bypass Qurouter
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-5480 HIGH This Week

Local privilege escalation vulnerability in Action1 where an attacker with low-privileged code execution can exploit an insecure OpenSSL configuration file loading mechanism to achieve SYSTEM-level code execution. The vulnerability requires prior code execution capability on the target system but presents a direct path to full system compromise once initial access is obtained. No active exploitation or public POC has been confirmed at this time, but the moderate CVSS score of 7.8 and CWE-427 classification indicate a meaningful risk to Action1 users.

OpenSSL RCE Privilege Escalation Agent
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2025-48903 HIGH This Week

Permission bypass vulnerability in the media library module that allows unauthenticated local attackers to escalate privileges and gain unauthorized access to sensitive functionality. The vulnerability has a CVSS score of 7.8 (High) and impacts confidentiality, integrity, and availability. While the description indicates only availability impact, the CVSS vector reveals high C/I/A ratings, suggesting attackers can read, modify, or delete protected media assets and potentially disrupt service availability.

Privilege Escalation Harmonyos
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-49421 HIGH This Week

SQL injection vulnerability in Andrei Filonov's WP Text Expander WordPress plugin (versions through 1.0.1) that allows authenticated attackers with high-privilege administrative roles to execute arbitrary SQL queries. The vulnerability has a CVSS score of 7.6 (high severity) due to its ability to achieve confidentiality compromise and limited availability impact, though it requires administrative credentials to exploit. No current KEV (Known Exploited Vulnerability) status or public proof-of-concept is indicated in the provided data, suggesting limited real-world active exploitation at present.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49328 HIGH This Week

SQL injection vulnerability in Agile Logix Store Locator WordPress plugin (versions up to 1.5.1) that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability has a CVSS score of 7.6 with high confidentiality impact and limited availability impact, though it requires administrative-level privileges to exploit. The scope is changed, indicating potential impact beyond the vulnerable component itself.

WordPress SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49327 HIGH This Week

SQL injection vulnerability in Ruben Garcia ShortLinks Pro versions up to 1.0.7 that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability has a CVSS score of 7.6 (High) and affects the ShortLinks Pro WordPress plugin; while the attack requires elevated privileges, successful exploitation could lead to unauthorized data access and limited system availability impacts. No active exploitation in the wild or public POC has been widely reported at this time, though the SQL injection class (CWE-89) remains a critical attack vector.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49326 HIGH This Week

SQL Injection vulnerability in GamiPress (a WordPress gamification plugin) affecting versions through 7.4.5. An authenticated attacker with high privileges can execute arbitrary SQL commands to read sensitive database information, potentially compromising data confidentiality and availability. While the CVSS score is 7.6 (high), the attack requires high privileges and there is no public indication of active exploitation in the wild.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49315 HIGH This Week

CVE-2025-49315 is an SQL injection vulnerability in PersianScript's Persian Woocommerce SMS plugin affecting versions up to 7.0.10. An authenticated attacker with high privileges (administrator or above) can inject arbitrary SQL commands to read sensitive database information and cause denial of service. While the CVSS score is 7.6 (high), the requirement for elevated privileges (PR:H) and lack of integrity impact limit real-world exploitability, though the cross-site scope elevation and confirmed existence of this vulnerability class in WordPress plugins warrant immediate patching.

SQLi WordPress
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49263 HIGH This Week

Blind SQL injection vulnerability in WC Vendors Marketplace plugin versions through 2.5.6 that allows authenticated attackers with high privileges (administrator or vendor) to extract sensitive database information without direct output visibility. The vulnerability has a CVSS score of 7.6 with high confidentiality impact, though integrity is not compromised and availability impact is low. No publicly available exploit code or active exploitation has been confirmed at this time, but the attack requires only network access and high privilege authentication.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-30989 HIGH This Week

A SQL Injection vulnerability (CWE-89) exists in Renzo Tejada's 'Libro de Reclamaciones y Quejas' application versions up to 0.9, allowing authenticated attackers with high privileges to execute arbitrary SQL commands. While the CVSS score is 7.6 (High), the attack requires prior authentication and high-level privileges (PR:H), significantly reducing real-world exploitability. The vulnerability impacts confidentiality (data exfiltration) and limited availability, though integrity is not affected. Without confirmed KEV status, active exploitation data, or public proof-of-concept, this represents a medium-priority issue requiring patching but not immediate emergency response.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-26590 HIGH This Week

SQL Injection vulnerability in Nir Complete Google SEO Scan plugin (versions up to 3.5.1) that allows authenticated attackers with high privileges to execute arbitrary SQL commands against the database. While the CVSS score is 7.6 (high), the attack requires administrative credentials and does not enable data modification, limiting real-world impact to information disclosure and service degradation. No active exploitation in the wild has been confirmed at this time.

SQLi Google
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2023-26003 HIGH This Week

SQL injection vulnerability in the WP Post Corrector WordPress plugin (versions up to 1.0.2) that allows authenticated attackers with high privileges to execute arbitrary SQL queries, potentially leading to unauthorized data disclosure and limited service disruption. The vulnerability requires administrator-level access to exploit, significantly limiting its immediate threat surface, though it could be chained with privilege escalation attacks.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49262 HIGH This Week

Stored Cross-Site Scripting (XSS) vulnerability in the Sina Extension for Elementor WordPress plugin (versions up to 3.6.1) that allows authenticated attackers with high privileges to inject malicious scripts into web pages. When victims view the affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or defacement. While the CVSS score of 7.6 indicates moderate-to-high severity, the requirement for high-privilege authentication (PR:H) significantly limits exploitation scope compared to unauthenticated XSS vulnerabilities.

XSS Elementor
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-5192 HIGH This Week

Missing authentication vulnerability in Soar Cloud HRD Human Resource Management System versions up to 7.3.2025.0408 that allows unauthenticated remote attackers to bypass authentication controls and access critical application functions. The vulnerability has a CVSS score of 7.5 (High) with high confidentiality impact, indicating attackers can read sensitive HR data without credentials. While specific KEV or active exploitation status is not confirmed in available data, the network-accessible nature (AV:N), lack of authentication requirement (PR:N), and criticality of HR systems suggest elevated real-world risk.

Authentication Bypass Hr Portal
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-49313 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in ovatheme BRW versions up to 1.8.6, stemming from improper control of filename parameters in include/require statements. An authenticated attacker with low privileges can exploit this to read arbitrary files from the server filesystem, potentially gaining access to sensitive configuration files, source code, or credentials. The vulnerability requires network access and authenticated user status (CWE-98 improper input validation on file paths), with a CVSS score of 7.5 indicating high confidentiality and integrity impact.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-49308 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in WP Travel Engine affecting versions through 6.5.1. An authenticated attacker with low privileges can exploit improper filename control in PHP include/require statements to read arbitrary files from the server, potentially obtaining sensitive configuration data, credentials, or source code. While the CVSS score is moderate (7.5), the vulnerability requires authentication and higher attack complexity, but successful exploitation could lead to complete information disclosure and potential privilege escalation.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-49307 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in Magazine3's WP Multilang plugin versions up to 2.4.19, stemming from improper control of filenames in PHP include/require statements. An authenticated attacker with low privileges can exploit this vulnerability to read arbitrary local files on the affected WordPress server, potentially leading to information disclosure, code execution, or system compromise. The CVSS score of 7.5 reflects high confidentiality and integrity impact, though exploitation requires valid credentials and non-standard conditions (AC:H).

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-30999 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in the WP Shopify plugin (versions up to 1.5.3) that allows authenticated attackers to include and execute arbitrary local files on the web server through improper control of filename parameters in PHP include/require statements. The vulnerability requires low-privilege user access (PR:L) and has moderate attack complexity (AC:H), but results in complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H), making it a significant risk for WordPress sites using this plugin.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2023-25995 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in choicehomemortgage AI Mortgage Calculator versions up to 1.0.1, caused by improper input validation on file inclusion statements. An authenticated attacker with low privileges can exploit this vulnerability over the network to read arbitrary files from the server, potentially leading to information disclosure, privilege escalation, or remote code execution. The high CVSS score of 7.5 reflects the severity of potential impacts (confidentiality, integrity, availability compromise), though the requirement for authenticated access and high attack complexity somewhat limit real-world exploitability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-29872 HIGH PATCH This Week

Denial-of-service vulnerability in QNAP File Station 5 that allows an authenticated attacker to exhaust system resources without limits or throttling, preventing legitimate users and processes from accessing the affected service. The vulnerability affects File Station 5 versions prior to 5.5.6.4847 and is remotely exploitable with no user interaction required once account access is obtained. With a CVSS score of 7.5 (High) and network-based attack vector, this represents a significant availability risk for organizations relying on File Station for network file access.

Denial Of Service Synology File Station
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-29877 HIGH PATCH This Week

NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by causing the application to crash. While the CVSS 7.5 score reflects the severity of availability impact, the vulnerability requires valid user credentials to exploit, making it primarily a risk for organizations with compromised or malicious insider accounts. The vendor has released patches in version 5.5.6.4847 and later.

Null Pointer Dereference Denial Of Service Qnap File Station
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-29876 HIGH PATCH This Week

NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. While the CVSS score of 7.5 is elevated, the requirement for a valid user account (PR:N is misleading in vector; effective privilege requirement exists) and lack of data confidentiality/integrity impact limit real-world severity. The vulnerability affects File Station 5 versions prior to 5.5.6.4847, and the vendor has released patched versions.

Null Pointer Dereference Denial Of Service Qnap File Station
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-29873 HIGH PATCH This Week

NULL pointer dereference vulnerability affecting QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and high availability impact, though it requires valid user credentials to exploit. QNAP has released patched versions (5.5.6.4847 and later) to remediate this issue.

Null Pointer Dereference Denial Of Service Qnap File Station
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-22490 HIGH PATCH This Week

NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. The vulnerability affects File Station 5 versions prior to 5.5.6.4847, and while it requires valid user credentials (PR:N indicates no privileges required once authenticated), it has a CVSS score of 7.5 reflecting high availability impact. No indication of active exploitation in the wild or public POC is evident from the provided data.

Null Pointer Dereference Denial Of Service Qnap File Station
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48781 HIGH This Week

A remote code execution vulnerability in the download file function of Soar Cloud HRD Human Resource Management System (CVSS 7.5) that allows remote attackers. High severity vulnerability requiring prompt remediation.

Information Disclosure Hr Portal
NVD
CVSS 3.1
7.5
EPSS
0.1%
Prev Page 2 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy