Skip to main content
CVE-2025-5480 HIGH This Week

Local privilege escalation vulnerability in Action1 where an attacker with low-privileged code execution can exploit an insecure OpenSSL configuration file loading mechanism to achieve SYSTEM-level code execution. The vulnerability requires prior code execution capability on the target system but presents a direct path to full system compromise once initial access is obtained. No active exploitation or public POC has been confirmed at this time, but the moderate CVSS score of 7.8 and CWE-427 classification indicate a meaningful risk to Action1 users.

OpenSSL RCE Privilege Escalation Agent
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2025-48903 HIGH This Week

Permission bypass vulnerability in the media library module that allows unauthenticated local attackers to escalate privileges and gain unauthorized access to sensitive functionality. The vulnerability has a CVSS score of 7.8 (High) and impacts confidentiality, integrity, and availability. While the description indicates only availability impact, the CVSS vector reveals high C/I/A ratings, suggesting attackers can read, modify, or delete protected media assets and potentially disrupt service availability.

Privilege Escalation Harmonyos
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-49421 HIGH This Week

SQL injection vulnerability in Andrei Filonov's WP Text Expander WordPress plugin (versions through 1.0.1) that allows authenticated attackers with high-privilege administrative roles to execute arbitrary SQL queries. The vulnerability has a CVSS score of 7.6 (high severity) due to its ability to achieve confidentiality compromise and limited availability impact, though it requires administrative credentials to exploit. No current KEV (Known Exploited Vulnerability) status or public proof-of-concept is indicated in the provided data, suggesting limited real-world active exploitation at present.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49328 HIGH This Week

SQL injection vulnerability in Agile Logix Store Locator WordPress plugin (versions up to 1.5.1) that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability has a CVSS score of 7.6 with high confidentiality impact and limited availability impact, though it requires administrative-level privileges to exploit. The scope is changed, indicating potential impact beyond the vulnerable component itself.

WordPress SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49327 HIGH This Week

SQL injection vulnerability in Ruben Garcia ShortLinks Pro versions up to 1.0.7 that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability has a CVSS score of 7.6 (High) and affects the ShortLinks Pro WordPress plugin; while the attack requires elevated privileges, successful exploitation could lead to unauthorized data access and limited system availability impacts. No active exploitation in the wild or public POC has been widely reported at this time, though the SQL injection class (CWE-89) remains a critical attack vector.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49326 HIGH This Week

SQL Injection vulnerability in GamiPress (a WordPress gamification plugin) affecting versions through 7.4.5. An authenticated attacker with high privileges can execute arbitrary SQL commands to read sensitive database information, potentially compromising data confidentiality and availability. While the CVSS score is 7.6 (high), the attack requires high privileges and there is no public indication of active exploitation in the wild.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49315 HIGH This Week

CVE-2025-49315 is an SQL injection vulnerability in PersianScript's Persian Woocommerce SMS plugin affecting versions up to 7.0.10. An authenticated attacker with high privileges (administrator or above) can inject arbitrary SQL commands to read sensitive database information and cause denial of service. While the CVSS score is 7.6 (high), the requirement for elevated privileges (PR:H) and lack of integrity impact limit real-world exploitability, though the cross-site scope elevation and confirmed existence of this vulnerability class in WordPress plugins warrant immediate patching.

SQLi WordPress
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49263 HIGH This Week

Blind SQL injection vulnerability in WC Vendors Marketplace plugin versions through 2.5.6 that allows authenticated attackers with high privileges (administrator or vendor) to extract sensitive database information without direct output visibility. The vulnerability has a CVSS score of 7.6 with high confidentiality impact, though integrity is not compromised and availability impact is low. No publicly available exploit code or active exploitation has been confirmed at this time, but the attack requires only network access and high privilege authentication.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-30989 HIGH This Week

A SQL Injection vulnerability (CWE-89) exists in Renzo Tejada's 'Libro de Reclamaciones y Quejas' application versions up to 0.9, allowing authenticated attackers with high privileges to execute arbitrary SQL commands. While the CVSS score is 7.6 (High), the attack requires prior authentication and high-level privileges (PR:H), significantly reducing real-world exploitability. The vulnerability impacts confidentiality (data exfiltration) and limited availability, though integrity is not affected. Without confirmed KEV status, active exploitation data, or public proof-of-concept, this represents a medium-priority issue requiring patching but not immediate emergency response.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-26590 HIGH This Week

SQL Injection vulnerability in Nir Complete Google SEO Scan plugin (versions up to 3.5.1) that allows authenticated attackers with high privileges to execute arbitrary SQL commands against the database. While the CVSS score is 7.6 (high), the attack requires administrative credentials and does not enable data modification, limiting real-world impact to information disclosure and service degradation. No active exploitation in the wild has been confirmed at this time.

SQLi Google
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2023-26003 HIGH This Week

SQL injection vulnerability in the WP Post Corrector WordPress plugin (versions up to 1.0.2) that allows authenticated attackers with high privileges to execute arbitrary SQL queries, potentially leading to unauthorized data disclosure and limited service disruption. The vulnerability requires administrator-level access to exploit, significantly limiting its immediate threat surface, though it could be chained with privilege escalation attacks.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49262 HIGH This Week

Stored Cross-Site Scripting (XSS) vulnerability in the Sina Extension for Elementor WordPress plugin (versions up to 3.6.1) that allows authenticated attackers with high privileges to inject malicious scripts into web pages. When victims view the affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or defacement. While the CVSS score of 7.6 indicates moderate-to-high severity, the requirement for high-privilege authentication (PR:H) significantly limits exploitation scope compared to unauthenticated XSS vulnerabilities.

XSS Elementor
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-5192 HIGH This Week

Missing authentication vulnerability in Soar Cloud HRD Human Resource Management System versions up to 7.3.2025.0408 that allows unauthenticated remote attackers to bypass authentication controls and access critical application functions. The vulnerability has a CVSS score of 7.5 (High) with high confidentiality impact, indicating attackers can read sensitive HR data without credentials. While specific KEV or active exploitation status is not confirmed in available data, the network-accessible nature (AV:N), lack of authentication requirement (PR:N), and criticality of HR systems suggest elevated real-world risk.

Authentication Bypass Hr Portal
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-49313 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in ovatheme BRW versions up to 1.8.6, stemming from improper control of filename parameters in include/require statements. An authenticated attacker with low privileges can exploit this to read arbitrary files from the server filesystem, potentially gaining access to sensitive configuration files, source code, or credentials. The vulnerability requires network access and authenticated user status (CWE-98 improper input validation on file paths), with a CVSS score of 7.5 indicating high confidentiality and integrity impact.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-49308 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in WP Travel Engine affecting versions through 6.5.1. An authenticated attacker with low privileges can exploit improper filename control in PHP include/require statements to read arbitrary files from the server, potentially obtaining sensitive configuration data, credentials, or source code. While the CVSS score is moderate (7.5), the vulnerability requires authentication and higher attack complexity, but successful exploitation could lead to complete information disclosure and potential privilege escalation.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-49307 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in Magazine3's WP Multilang plugin versions up to 2.4.19, stemming from improper control of filenames in PHP include/require statements. An authenticated attacker with low privileges can exploit this vulnerability to read arbitrary local files on the affected WordPress server, potentially leading to information disclosure, code execution, or system compromise. The CVSS score of 7.5 reflects high confidentiality and integrity impact, though exploitation requires valid credentials and non-standard conditions (AC:H).

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-30999 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in the WP Shopify plugin (versions up to 1.5.3) that allows authenticated attackers to include and execute arbitrary local files on the web server through improper control of filename parameters in PHP include/require statements. The vulnerability requires low-privilege user access (PR:L) and has moderate attack complexity (AC:H), but results in complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H), making it a significant risk for WordPress sites using this plugin.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2023-25995 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in choicehomemortgage AI Mortgage Calculator versions up to 1.0.1, caused by improper input validation on file inclusion statements. An authenticated attacker with low privileges can exploit this vulnerability over the network to read arbitrary files from the server, potentially leading to information disclosure, privilege escalation, or remote code execution. The high CVSS score of 7.5 reflects the severity of potential impacts (confidentiality, integrity, availability compromise), though the requirement for authenticated access and high attack complexity somewhat limit real-world exploitability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-29872 HIGH PATCH This Week

Denial-of-service vulnerability in QNAP File Station 5 that allows an authenticated attacker to exhaust system resources without limits or throttling, preventing legitimate users and processes from accessing the affected service. The vulnerability affects File Station 5 versions prior to 5.5.6.4847 and is remotely exploitable with no user interaction required once account access is obtained. With a CVSS score of 7.5 (High) and network-based attack vector, this represents a significant availability risk for organizations relying on File Station for network file access.

Denial Of Service Synology File Station
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-29877 HIGH PATCH This Week

NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by causing the application to crash. While the CVSS 7.5 score reflects the severity of availability impact, the vulnerability requires valid user credentials to exploit, making it primarily a risk for organizations with compromised or malicious insider accounts. The vendor has released patches in version 5.5.6.4847 and later.

Null Pointer Dereference Denial Of Service Qnap File Station
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-29876 HIGH PATCH This Week

NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. While the CVSS score of 7.5 is elevated, the requirement for a valid user account (PR:N is misleading in vector; effective privilege requirement exists) and lack of data confidentiality/integrity impact limit real-world severity. The vulnerability affects File Station 5 versions prior to 5.5.6.4847, and the vendor has released patched versions.

Null Pointer Dereference Denial Of Service Qnap File Station
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-29873 HIGH PATCH This Week

NULL pointer dereference vulnerability affecting QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and high availability impact, though it requires valid user credentials to exploit. QNAP has released patched versions (5.5.6.4847 and later) to remediate this issue.

Null Pointer Dereference Denial Of Service Qnap File Station
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-22490 HIGH PATCH This Week

NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. The vulnerability affects File Station 5 versions prior to 5.5.6.4847, and while it requires valid user credentials (PR:N indicates no privileges required once authenticated), it has a CVSS score of 7.5 reflecting high availability impact. No indication of active exploitation in the wild or public POC is evident from the provided data.

Null Pointer Dereference Denial Of Service Qnap File Station
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48781 HIGH This Week

A remote code execution vulnerability in the download file function of Soar Cloud HRD Human Resource Management System (CVSS 7.5) that allows remote attackers. High severity vulnerability requiring prompt remediation.

Information Disclosure Hr Portal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48783 HIGH This Week

CVE-2025-48783 is an external control of file name or path vulnerability (CWE-73) in the delete file function of Soar Cloud HRD Human Resource Management System versions up to 7.3.2025.0408, allowing unauthenticated remote attackers to delete arbitrary files by manipulating file path parameters. The vulnerability has a CVSS score of 7.5 with high integrity impact, enabling attackers to perform unauthorized file deletion without authentication. Exploitation requires only network access and no user interaction, making this a significant threat to organizations using affected HRD system versions.

Information Disclosure Hr Portal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48784 HIGH This Week

Missing authorization vulnerability in Soar Cloud HRD Human Resource Management System versions up to 7.3.2025.0408 that allows unauthenticated remote attackers to modify critical system settings without any credentials or user interaction. This is a high-severity integrity violation (CVSS 7.5) affecting HR management infrastructure; attackers can alter configurations that may impact payroll, employee records, access controls, and compliance functions. No exploitation complexity is required (AC:L, PR:N), making this vulnerability immediately exploitable in real-world environments.

Information Disclosure Hr Portal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-47950 HIGH PATCH This Week

A denial of service vulnerability in versions (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Denial Of Service Coredns Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-49237 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in POEditor that enables path traversal attacks, affecting versions 0.9.10 and earlier. An attacker can exploit this via a crafted request to perform unauthorized actions on behalf of an authenticated user, potentially leading to high availability impact. While the CVSS score of 7.4 indicates a significant threat, the requirement for user interaction (UI:R) and network-based attack vector limits real-world exploitability; current KEV and EPSS data are needed to determine if active exploitation is occurring.

CSRF Path Traversal
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-28954 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in the wphobby Backwp WordPress plugin (versions through 2.0.2) that enables path traversal attacks. An unauthenticated remote attacker can exploit this via a crafted web request to perform unauthorized actions and potentially access sensitive files outside intended directories. While the CVSS score of 7.4 indicates high severity with availability impact, the vulnerability requires user interaction (UI:R) and affects availability rather than confidentiality or integrity, suggesting moderate real-world exploitability.

CSRF Path Traversal
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-5474 HIGH This Week

Local privilege escalation vulnerability in 2BrightSparks SyncBackFree that allows low-privileged attackers to escalate to SYSTEM-level privileges by abusing the Mirror functionality through malicious junction creation. The vulnerability requires local code execution capability and administrator interaction, enabling arbitrary file deletion and code execution with SYSTEM privileges. This is a moderately severe local privilege escalation with a CVSS score of 7.3.

RCE Privilege Escalation Syncbackfree
NVD
CVSS 3.0
7.3
EPSS
0.0%
CVE-2025-22484 HIGH PATCH This Week

CVE-2025-22484 is an unthrottled resource allocation vulnerability in Qnap File Station 5 that allows authenticated remote attackers to exhaust system resources and cause denial of service. An attacker with valid user credentials can exploit this CWE-770 weakness to prevent legitimate users and processes from accessing shared resources, affecting availability. The vulnerability has a moderate-to-high CVSS 7.1 score driven by network accessibility and high availability impact, though it requires prior authentication; the fix is available in File Station 5 version 5.5.6.4847 and later.

Denial Of Service Qnap
NVD
CVSS 4.0
7.1
EPSS
0.2%
CVE-2025-5018 HIGH This Week

The Hive Support WordPress plugin (versions ≤1.2.4) contains missing capability checks in the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions, allowing authenticated Subscriber-level users to read and modify sensitive data including OpenAI API keys, inspection data, and AI chat prompts. With a CVSS score of 7.1 and network-accessible attack vector requiring only user authentication, this vulnerability poses significant risk to WordPress installations using this plugin. The vulnerability may be a duplicate of CVE-2025-32208 or CVE-2025-32242, and patch status and active exploitation metrics are currently unknown.

WordPress Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-48329 HIGH This Week

A reflected cross-site scripting (XSS) vulnerability exists in Daman Jeet's Real Time Validation for Gravity Forms plugin affecting versions through 1.7.0, allowing unauthenticated attackers to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (clicking a malicious link) but can compromise user sessions, steal credentials, or deface form content due to its cross-site impact scope. While the CVSS score of 7.1 indicates moderate-to-high severity, real-world exploitation depends on form visibility and user interaction patterns.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49453 HIGH This Week

CSRF vulnerability in Jatinder Pal Singh BP Profile as Homepage plugin (versions through 1.1) that enables Stored XSS attacks. An unauthenticated attacker can exploit this via a malicious web request to inject persistent JavaScript into the application, affecting all users who view the compromised profile. The vulnerability requires user interaction (CVSS UI:R) but has cross-site scope impact (S:C), resulting in a 7.1 medium-high severity rating; KEV status and active exploitation data are not currently available in public disclosures.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49425 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Adrian Hanft's Konami Easter Egg browser extension (versions through v0.4) that can lead to Stored Cross-Site Scripting (XSS) attacks. An attacker can craft a malicious request to inject persistent JavaScript code that executes in the context of affected users' browsers, potentially compromising user sessions, stealing credentials, or performing unauthorized actions. With a CVSS score of 7.1 and network-accessible attack vector requiring only user interaction, this vulnerability poses a moderate-to-significant risk to users of the extension, though real-world exploitation likelihood depends on whether public exploits exist and the extension's actual user base.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30995 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Widgetize Pages Light plugin (versions up to 3.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to trick authenticated users into performing unintended actions, resulting in persistent XSS payload injection that affects all subsequent visitors. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating moderate real-world exploitability without requiring elevated privileges.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28981 HIGH This Week

A cross-site scripting vulnerability in Soli WP Mail Options allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28974 HIGH This Week

CSRF vulnerability in mail250 Free WP Mail SMTP (versions up to 1.0) that enables stored XSS attacks, allowing unauthenticated remote attackers to inject malicious scripts via crafted requests. The vulnerability requires user interaction (UI:R) but has network-based attack vector (AV:N) with low complexity (AC:L), affecting WordPress installations using this email plugin. While CVSS 7.1 indicates medium-high severity with confidentiality, integrity, and availability impact, real-world exploitation depends on KEV status, EPSS probability, and public POC availability-data not provided in the source material.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28966 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in the dilemma123 Recent Posts Slider Responsive WordPress plugin (versions through 1.0.1) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads, which execute in the browsers of site administrators and visitors, potentially leading to account compromise, malware distribution, or defacement. The vulnerability requires user interaction (UI:R) but has network-accessible attack surface (AV:N) with moderate CVSS score of 7.1 and should be prioritized for patched WordPress installations running vulnerable plugin versions.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28964 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in mangup Personal Favicon (versions up to 2.0) that enables Stored XSS attacks. An unauthenticated attacker can craft a malicious request that, when visited by a user, executes arbitrary JavaScript in the victim's browser context with access to sensitive data and session tokens. While no public exploit or KEV status confirmation is available from the provided data, the CVSS 7.1 score and Stored XSS payload persistence indicate moderate-to-high real-world risk, particularly if the plugin has significant user adoption.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28958 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov's Bg Orthodox Calendar plugin that enables Stored Cross-Site Scripting (XSS) attacks. The vulnerability affects all versions from an unspecified baseline through 0.13.10, allowing unauthenticated attackers over the network to inject and store malicious scripts that execute in users' browsers with moderate impact to confidentiality, integrity, and availability. The CVSS 7.1 score reflects the combination of network attack vector with user interaction requirement; real-world exploitation risk depends on whether this vulnerability is actively exploited or has public proof-of-concept code available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28950 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in David Shabtai's Post Author WordPress plugin (versions through 1.1.1) that enables Stored Cross-Site Scripting (XSS) attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads that execute in the browsers of all users viewing affected content, potentially leading to account compromise, data theft, or malware distribution. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating practical exploitability without authentication.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28948 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in the codedraft Mediabay WordPress plugin (versions up to 1.4) that enables reflected XSS attacks. Attackers can exploit this network-accessible vulnerability without authentication to perform unauthorized actions on behalf of authenticated users and inject malicious scripts, affecting WordPress installations using this media library plugin. The CVSS 7.1 score and absence of KEV/active exploitation data suggest moderate real-world risk with UI interaction required.

WordPress CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48909 HIGH This Week

Bypass vulnerability in device management channels that allows unauthenticated attackers on adjacent networks to compromise service confidentiality and cause minor availability impact. The vulnerability affects device management implementations across multiple vendors (specific products require vendor advisories to identify). While no active exploitation in the wild has been confirmed in public KEV databases at time of analysis, the 7.1 CVSS score and high confidentiality impact warrant immediate attention for organizations managing devices on trusted networks.

Authentication Bypass Information Disclosure Harmonyos
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-5791 HIGH PATCH This Week

Privilege escalation vulnerability in the Rust 'users' crate that incorrectly includes the root group in access control lists when a user or process has fewer than 1024 groups. An authenticated local attacker with low privileges can exploit this flaw to gain unauthorized access to resources restricted to the root group, achieving privilege escalation. The vulnerability requires local access and existing user privileges but has high impact on confidentiality and integrity.

Rust Privilege Escalation Red Hat Suse
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy