Critical remote authentication bypass vulnerability affecting an unspecified software package, exploitable through improper type conversion handling (CWE-704). An unauthenticated network attacker can bypass authentication controls without user interaction to achieve complete device compromise including confidentiality, integrity, and availability violations. The vulnerability carries a maximum CVSS 3.1 score of 9.8 with network accessibility and low attack complexity, indicating high real-world exploitability risk; without access to KEV/EPSS data or POC confirmation, exploitation likelihood cannot be definitively assessed but the attack vector and complexity profile suggests active exploitation potential.
Critical remote code execution vulnerability in expression language processors that allows unauthenticated attackers to execute arbitrary code with maximum server privileges through improper input neutralization. This is a perfect-score CVSS 10.0 vulnerability affecting expression language engines across multiple frameworks; exploitation requires no authentication, user interaction, or special configuration, making it an immediate priority for any organization using affected technologies.
Critical remote code execution vulnerability in Soar Cloud HRD Human Resource Management System (versions through 7.3.2025.0408) caused by unsafe deserialization of untrusted data in the download file function. An unauthenticated remote attacker can exploit this to execute arbitrary system commands with no user interaction required, achieving complete compromise of confidentiality, integrity, and availability. The CVSS 9.8 severity and network-accessible attack vector indicate this is a high-priority threat requiring immediate patching.
Critical deserialization of untrusted data vulnerability in Apache InLong versions 1.13.0 through 2.0.x that allows authenticated attackers to read arbitrary files through parameter manipulation ('double writing' the param). With a CVSS 9.8 score and network-based attack vector requiring no user interaction, this represents a high-severity information disclosure risk affecting data ingestion pipeline deployments.
The WP Email Debug WordPress plugin (versions 1.0-1.1.0) contains a critical privilege escalation vulnerability (CVE-2025-5486) stemming from missing capability checks in the WPMDBUG_handle_settings() function. Unauthenticated attackers can exploit this to modify plugin settings, redirect administrator emails to attacker-controlled addresses, and trigger password resets to gain full administrative access to affected WordPress installations. The CVSS 9.8 score reflects network-based exploitation with zero complexity and no authentication required, representing a critical severity threat with high real-world exploitation potential.
Critical remote code execution vulnerability in Soar Cloud HRD Human Resource Management System versions up to 7.3.2025.0408, stemming from unrestricted file uploads that bypass type validation. An unauthenticated remote attacker can upload a malicious file (e.g., executable, script) and execute arbitrary system commands with no user interaction required, achieving complete system compromise. With a CVSS score of 9.8 (critical) and an unauthenticated attack vector, this poses immediate and severe risk to all unpatched deployments.
Critical path traversal vulnerability (CWE-23) that allows unauthenticated remote attackers to read, write, or delete arbitrary files on affected servers with a CVSS score of 9.8. The vulnerability requires no user interaction, has low attack complexity, and grants complete confidentiality, integrity, and availability impact. Without access to KEV status, EPSS scores, POC details, or specific CPE identifiers from the provided data, this appears to be a severe vulnerability affecting multiple server-side products; confirmation of active exploitation status and patch availability requires cross-referencing official vendor security advisories.
Critical deserialization of untrusted data vulnerability in Axiomthemes Sweet Dessert that enables object injection attacks. The vulnerability affects Sweet Dessert versions before 1.1.13 and allows remote attackers to inject malicious serialized objects without authentication, potentially achieving remote code execution with complete system compromise. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction or privileges, this represents a critical internet-exposed risk.
Critical deserialization vulnerability in AncoraThemes Mr. Murphy WordPress theme that allows unauthenticated remote attackers to inject arbitrary objects and achieve complete system compromise (confidentiality, integrity, and availability impact). All versions before 1.2.12.1 are vulnerable. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this vulnerability presents an immediate, high-priority threat to affected WordPress installations.
Hardcoded administrative account vulnerability in an undocumented system component that cannot be deactivated, allowing local users to gain complete system compromise with high confidentiality, integrity, and availability impact. While the vulnerability carries a critical CVSS 9.4 score, the attack vector is restricted to local access only, significantly reducing real-world network-based exploitation risk. The vulnerability's severity stems from CWE-798 (Use of Hard-Coded Credentials), a foundational authentication bypass mechanism that enables privilege escalation and persistent administrative access.
PHP Local File Inclusion (LFI) vulnerability in StylemixThemes Motors - Events plugin affecting versions up to 1.4.7, allowing unauthenticated remote attackers to include and execute arbitrary PHP files under certain conditions. With a CVSS score of 9.0 and network accessibility, this vulnerability enables complete system compromise through code execution. Active exploitation status and proof-of-concept availability should be verified through KEV database and security research databases.