Skip to main content
CVE-2025-31059 CRITICAL Act Now

A critical SQL injection vulnerability (CVE-2025-31059) exists in woobewoo WBW Product Table PRO plugin versions up to 2.1.3, allowing unauthenticated remote attackers to execute arbitrary SQL queries and extract sensitive database information. The CVSS 9.3 score reflects the severe impact on confidentiality with network-based attack vectors requiring no user interaction, though integrity is not compromised. The vulnerability's active exploitation status and high EPSS score indicate this is a genuine, prioritized threat requiring immediate patching.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-24767 CRITICAL Act Now

Blind SQL Injection vulnerability in the TicketBAI Facturas para WooCommerce plugin (versions up to 3.19) that allows unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has a critical CVSS score of 9.3 with network-based attack vector requiring no privileges or user interaction, potentially enabling data exfiltration from WordPress database instances. Active exploitation status and proof-of-concept availability should be verified through KEV databases and security research channels.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-31039 CRITICAL Act Now

CVE-2025-31039 is an XML External Entity (XXE) injection vulnerability in the Pixelgrade Category Icon WordPress plugin (versions through 1.0.2) that allows authenticated attackers with high privileges to read arbitrary files, execute remote code, or cause denial of service through improper XML entity validation. The vulnerability has a critical CVSS score of 9.1 but requires administrator-level privileges to exploit; active exploitation status and proof-of-concept availability are not confirmed from the provided intelligence.

XXE
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-5894 HIGH This Week

Critical Missing Authorization (CWE-862) vulnerability in Honding Technology's Smart Parking Management System that allows authenticated users with regular privileges to bypass authorization controls and create administrator accounts without proper authorization checks. Attackers can leverage this flaw to escalate privileges, create backdoor admin accounts, and gain full system control (confidentiality, integrity, and availability impact). The CVSS 8.8 score reflects the high severity, though real-world exploitability depends on whether this vulnerability is actively exploited in the wild and whether public proof-of-concept code exists.

Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-47561 HIGH PATCH This Week

CVE-2025-47561 is an Incorrect Privilege Assignment vulnerability in PT Norther Lights Production MapSVG that allows authenticated users to escalate their privileges within the application. Affected versions are MapSVG prior to 8.6.13. An attacker with low-privilege login credentials can exploit this flaw to gain high-impact unauthorized access to sensitive data, modify critical information, and potentially disrupt service availability.

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-40670 HIGH This Week

CVE-2025-40670 is an incorrect authorization vulnerability in TCMAN's GIM (Gestion Integrada de Mantenimiento) v11 that allows an authenticated but unprivileged attacker to escalate privileges by creating new users with elevated permissions through an insecure API endpoint. An attacker with valid (low-privilege) credentials can POST to /PC/frmGestionUser.aspx/updateUser to arbitrarily assign administrative or other high-privilege roles to newly created accounts, resulting in complete system compromise. This vulnerability represents a critical privilege escalation risk in maintenance management systems, potentially affecting industrial and critical infrastructure environments that rely on TCMAN for asset management.

Authentication Bypass Privilege Escalation Gim
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-31019 HIGH This Week

CVE-2025-31019 is an authentication bypass vulnerability in miniOrange Password Policy Manager that allows authenticated attackers to escalate privileges and abuse authentication mechanisms through alternate pathways. Affected versions are 2.0.4 and earlier; attackers with low privileges (PR:L) can exploit this remotely without user interaction (UI:N) to achieve complete system compromise including confidentiality, integrity, and availability impacts. No public KEV or active exploitation data is available at this time, but the high CVSS score of 8.8 and authentication bypass nature indicate significant risk to WordPress sites using this plugin.

Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-3582 MEDIUM POC PATCH This Month

The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

WordPress XSS Newsletter PHP
NVD WPScan
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-3581 MEDIUM POC PATCH This Month

The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

WordPress XSS Newsletter PHP
NVD WPScan
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-48267 HIGH This Week

Path traversal vulnerability in ThimPress WP Pipes that allows unauthenticated remote attackers to access files outside restricted directories, potentially causing denial of service or information disclosure. Versions through 1.4.2 are affected. The vulnerability has a high CVSS score of 8.6 due to network accessibility and no authentication requirements, though the impact is limited to availability rather than confidentiality or integrity.

Path Traversal
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-47651 HIGH This Week

A SQL injection vulnerability in Infility Global (CWE-89) allows authenticated attackers to execute arbitrary SQL queries with network access, potentially leading to unauthorized data disclosure and limited availability impact. The vulnerability affects Infility Global versions up to and including 2.12.4, and the CVSS 8.5 score reflects high confidentiality impact; however, without confirmation of active exploitation (KEV status) or public POC availability, real-world risk depends on deployment prevalence and attacker motivation.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-31920 HIGH This Week

SQL Injection vulnerability in AmentoTech WP Guppy plugin versions through 4.3.3 that allows authenticated attackers to execute arbitrary SQL commands due to improper neutralization of special elements in SQL queries. With a CVSS score of 8.5 and network-based attack vector requiring only low privileges, an attacker with user-level access can exfiltrate sensitive data from the WordPress database and cause service disruption. The vulnerability's high severity is tempered by the requirement for authenticated access (PR:L), though the scope change (S:C) indicates potential lateral impact across other applications sharing the database.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-41444 HIGH PATCH This Week

Zohocorp ManageEngine ADAudit Plus versions 8510 and prior contain an authenticated SQL injection vulnerability in the alerts module (CWE-89) that allows authenticated users to execute arbitrary SQL commands. An attacker with valid credentials can exploit this network-accessible vulnerability to read sensitive data, modify database contents, or degrade system availability. The CVSS 8.3 score reflects high confidentiality and integrity impact, though authentication is required; real-world exploitation probability and active weaponization status cannot be confirmed without KEV/EPSS data access.

SQLi Zoho Authentication Bypass Manageengine Adaudit Plus
NVD
CVSS 3.1
8.3
EPSS
0.7%
CVE-2025-36528 HIGH PATCH This Week

CVE-2025-36528 is an authenticated SQL injection vulnerability in Zohocorp ManageEngine ADAudit Plus versions 8510 and earlier, affecting the Service Account Auditing reports functionality. An authenticated attacker with low privileges can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data disclosure, data modification, or partial denial of service. With a CVSS score of 8.3 and network-accessible attack vector, this represents a significant risk to organizations using affected versions, particularly in environments where administrative audit logs contain sensitive credentials and access patterns.

SQLi Zoho Information Disclosure Manageengine Adaudit Plus
NVD
CVSS 3.1
8.3
EPSS
0.7%
CVE-2025-27709 HIGH PATCH This Week

A SQL injection vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.

SQLi Zoho Information Disclosure Manageengine Adaudit Plus
NVD
CVSS 3.1
8.3
EPSS
0.7%
CVE-2025-5896 MEDIUM POC PATCH This Month

A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 4.1.2 is able to address this issue. The name of the patch is c2e321a8b6fc873427c466c69f41ed0b5e8814bf. It is recommended to upgrade the affected component.

Denial Of Service Taro
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-5897 MEDIUM POC This Month

A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely.

Denial Of Service Vue Cli
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-49006 HIGH PATCH This Week

Wasp framework versions prior to 0.16.6 contain a critical OAuth/OpenID Connect implementation flaw where user IDs are improperly lowercased before storage and authentication, violating specification requirements. This affects only Keycloak deployments configured with case-sensitive user IDs, enabling attackers to impersonate users, trigger account collisions, and escalate privileges. While the CVSS score of 8.2 reflects high integrity impact, real-world risk is constrained to Keycloak with specific non-default configuration, and no public exploit or KEV designation has been reported.

Node.js Privilege Escalation Google
NVD GitHub
CVSS 4.0
8.2
EPSS
0.1%
CVE-2025-49282 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in Unfoldwp Magze versions up to 1.0.9 that allows unauthenticated remote attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. This is a network-accessible vulnerability with high attack complexity but complete impact on confidentiality, integrity, and availability (CVSS 8.1). The vulnerability likely affects WordPress plugin deployments where Magze is installed, and successful exploitation could lead to remote code execution through log poisoning or other LFI-to-RCE chains.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-49281 HIGH This Week

A security vulnerability in Unfoldwp Magways allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-49280 HIGH This Week

A security vulnerability in Unfoldwp Magty allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-49279 HIGH This Week

A security vulnerability in Unfoldwp Blogvy allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-49278 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in Unfoldwp Blogty plugin versions up to 1.0.11 that allows unauthenticated remote attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. The vulnerability has a CVSS score of 8.1 (High), indicating potential for confidentiality, integrity, and availability compromise. Active exploitation status and EPSS probability are critical factors in determining real-world risk severity.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-49277 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in Unfoldwp Blogprise WordPress plugin versions through 1.0.9, stemming from improper control of filename parameters in PHP include/require statements (CWE-98). An unauthenticated remote attacker can exploit this vulnerability over the network to read arbitrary files from the server filesystem, potentially leading to information disclosure, code execution, or further compromise. The CVSS 8.1 score reflects high severity with network accessibility and significant confidentiality/integrity/availability impact, though attack complexity is rated as high suggesting specific conditions must be met for exploitation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-49276 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in Unfoldwp Blogmine versions up to 1.1.7 that allows unauthenticated remote attackers to include and execute arbitrary files on the server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements (CWE-98). While the CVSS score of 8.1 reflects high impact potential across confidentiality, integrity, and availability, the AC:H (Attack Complexity: High) suggests exploitation requires specific conditions; KEV status, EPSS probability, and public POC availability are critical factors for determining actual prioritization.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-49275 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in Unfoldwp Blogbyte versions through 1.1.1, stemming from improper control of filenames in PHP include/require statements. An unauthenticated remote attacker can exploit this vulnerability with high complexity to achieve arbitrary code execution, information disclosure, or service disruption. While the CVSS score of 8.1 reflects severe potential impact, the High attack complexity (AC:H) suggests exploitation requires specific conditions or timing, and KEV/active exploitation status and POC availability remain unconfirmed from available intelligence.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-48126 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in g5theme Essential Real Estate plugin versions through 5.2.1, allowing unauthenticated remote attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filename parameters in PHP include/require statements (CWE-98), enabling potential information disclosure, code execution, and system compromise. While the CVSS score of 8.1 indicates high severity with high confidentiality and integrity impact, real-world exploitation depends on server configuration, file system permissions, and available local files for inclusion.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-48125 HIGH This Week

Local File Inclusion (LFI) vulnerability in WP Event Manager WordPress plugin versions through 3.1.49 that allows unauthenticated remote attackers to include and execute arbitrary PHP files from the server filesystem. This CWE-98 vulnerability has a CVSS score of 8.1 (High severity) with high impact on confidentiality, integrity, and availability. While the vulnerability requires specific conditions (AC:H), its network accessibility and lack of authentication requirements make it a significant risk for affected WordPress installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-32595 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in Gavias Krowd versions up to 1.4.1 that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. The vulnerability stems from improper control of filename parameters in PHP include/require statements (CWE-98), enabling attackers to read sensitive files or execute malicious code with high complexity but high impact including confidentiality, integrity, and availability compromise. No public exploit code or active exploitation reports are currently available in standard vulnerability databases, but the high CVSS score (8.1) and network-accessible attack vector indicate significant risk for unpatched installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-28992 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in SNS Anton theme versions up to 4.1 that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. The vulnerability stems from improper input validation on filename parameters in PHP include/require statements (CWE-98), enabling attackers to read sensitive files or achieve remote code execution through log poisoning or other local file abuse techniques. With a CVSS score of 8.1 and network-based attack vector, this represents a critical risk to affected WordPress installations, particularly if actively exploited in the wild or if public proof-of-concept code is available.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-28945 HIGH This Week

A remote code execution vulnerability in snstheme Valen - Sport (CVSS 8.1). High severity vulnerability requiring prompt remediation.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-28944 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in the snstheme Avaz plugin that allows unauthenticated remote attackers to include arbitrary PHP files via improper control of filename parameters in include/require statements. The vulnerability affects Avaz versions through 2.8 and has a CVSS score of 8.1 (high severity), enabling attackers to execute arbitrary code, read sensitive files, and compromise system integrity without requiring authentication or user interaction.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-28888 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in BZOTheme GiftXtore versions through 1.7.4 that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. This is a high-severity vulnerability (CVSS 8.1) that can lead to complete system compromise including confidentiality, integrity, and availability breaches. The vulnerability stems from improper validation of filename parameters in PHP include/require statements, enabling attackers to access sensitive files or execute malicious code without authentication.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-27362 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in BZOTheme Petito versions up to 1.6.2 that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. The vulnerability exploits improper control of filename parameters in PHP include/require statements (CWE-98), enabling attackers to read sensitive files, execute code, or compromise server integrity with a CVSS score of 8.1 (High). While no public exploit code or KEV/EPSS data are confirmed in standard databases, the high CVSS and network accessibility make this a significant priority for affected organizations.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-26592 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in AncoraThemes Inset theme affecting versions through 1.18.0, allowing unauthenticated remote attackers to include and execute arbitrary local files on vulnerable servers. This CWE-98 vulnerability stems from improper control of filename parameters in PHP include/require statements, with a CVSS score of 8.1 (High) reflecting significant confidentiality, integrity, and availability impact. The moderate attack complexity (AC:H) suggests exploitation requires specific conditions or knowledge, though the network-accessible attack vector (AV:N) and lack of privilege requirements (PR:N) make this practically exploitable.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-24770 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in BZOTheme CraftXtore versions up to 1.7 that allows unauthenticated remote attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. The vulnerability has a CVSS score of 8.1 (high severity) with network accessibility and high impact to confidentiality, integrity, and availability. Exploitation requires moderate attack complexity but no user interaction or privileges, making it a significant risk if actively exploited or proof-of-concept code becomes public.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-24768 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in snstheme Nitan theme affecting versions through 2.9, allowing unauthenticated remote attackers to include and execute arbitrary local files on the server. While the CVSS score of 8.1 indicates high severity with potential for confidentiality, integrity, and availability impact, the attack complexity is marked as HIGH, suggesting exploitation requires specific conditions or server configurations. The vulnerability stems from improper validation of filename parameters in PHP include/require statements (CWE-98), a classic but dangerous class of web application flaws.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2023-26005 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in BZOTheme Fitrush versions up to 1.3.4 that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling attackers to read sensitive files or achieve remote code execution depending on server configuration. While the CVSS score is 8.1 (high severity), the CVSS vector indicates high attack complexity (AC:H), suggesting exploitation may require specific environmental conditions or knowledge of the target system's file structure.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2023-25999 HIGH This Week

A remote code execution vulnerability in snstheme BodyCenter - Gym (CVSS 8.1). High severity vulnerability requiring prompt remediation.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-49651 HIGH This Week

A security vulnerability in the session. This vulnerability exists in all current (CVSS 8.1) that allows attackers. High severity vulnerability requiring prompt remediation.

Information Disclosure
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-23974 HIGH This Week

CVE-2025-23974 is an Incorrect Privilege Assignment vulnerability in ifkooo One-Login that enables unauthenticated remote privilege escalation. Versions 1.4 and earlier are affected, allowing attackers to gain high-impact unauthorized access to sensitive functions without user interaction. The CVSS 8.1 score reflects significant risk, though the high attack complexity (AC:H) suggests exploitation requires specific conditions; KEV/POC status and active exploitation data are not available in provided intelligence.

Privilege Escalation
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49297 HIGH This Week

Path traversal vulnerability in Mikado-Themes Grill and Chow WordPress themes (versions through 1.6) that enables PHP Local File Inclusion (LFI) attacks. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary files on the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential data. The high CVSS score of 8.1 reflects significant impact on confidentiality and integrity, though exploitation requires higher attack complexity.

PHP Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49296 HIGH This Week

A Path Traversal vulnerability in Mikado-Themes GrandPrix WordPress theme (versions through 1.6) allows unauthenticated remote attackers to perform PHP Local File Inclusion (LFI) attacks, potentially leading to arbitrary file reading, information disclosure, and remote code execution. The vulnerability has a CVSS score of 8.1 (High) with high impact on confidentiality, integrity, and availability; exploitation requires medium attack complexity but no user interaction or privileges. KEV status and active exploitation data were not provided, but the high CVSS and LFI nature suggest significant real-world risk if POC is publicly available.

PHP Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49295 HIGH This Week

A Path Traversal vulnerability in Mikado-Themes MediClinic through version 2.1 enables unauthenticated remote attackers to conduct PHP Local File Inclusion (LFI) attacks, potentially allowing arbitrary file reading and code execution. The CVSS 8.1 score reflects high impact across confidentiality, integrity, and availability, though attack complexity is listed as HIGH. No public confirmation of active KEV exploitation or PoC availability is documented in standard feeds, but the high CVSS and LFI vector suggest this should be treated as a credible priority vulnerability.

PHP Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-39475 HIGH This Week

Path Traversal vulnerability enabling PHP Local File Inclusion (LFI) in Frenify Arlo through version 6.0.3. The vulnerability allows unauthenticated remote attackers to read arbitrary files from the server filesystem by manipulating path parameters, potentially exposing sensitive configuration files, source code, and credentials. With a CVSS score of 8.1 and network-accessible attack vector, this vulnerability poses significant risk to confidentiality and integrity; exploitation likelihood and active weaponization status cannot be confirmed from available data, but the straightforward nature of path traversal attacks suggests moderate-to-high real-world exploitation probability.

PHP Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-39473 HIGH This Week

Path traversal vulnerability in WebGeniusLab Seofy Core (versions up to 1.4.5) that allows unauthenticated remote attackers to achieve PHP Local File Inclusion (LFI) with high complexity. The vulnerability enables attackers to read arbitrary files and potentially execute code on affected systems. No public indicators confirm active exploitation or KEV listing at this time, but the high CVSS score (8.1) and remote attack vector indicate significant risk requiring urgent patching.

PHP Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49653 HIGH This Week

Sensitive data exposure vulnerability in Lablup's BackendAI that allows authenticated attackers with high privileges to retrieve user credentials from active sessions on the management platform. The vulnerability affects the session management mechanism and has a CVSS score of 8.0 with a complex attack vector requiring high privilege access, indicating a serious but not trivially exploitable issue in production environments.

Information Disclosure
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-32308 HIGH This Week

Missing Authorization vulnerability (CWE-862) in looks_awesome Team Builder versions up to 1.5.7 that allows authenticated attackers to exploit misconfigured access control security levels to gain unauthorized access to sensitive functionality. An attacker with valid credentials can bypass intended authorization checks to read, modify, or delete data they should not have access to. The CVSS 7.6 score reflects the combination of low attack complexity, authenticated access requirement, and moderate-to-high impact on confidentiality and integrity.

Authentication Bypass
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49004 HIGH PATCH This Week

DNS rebinding vulnerability in Caido (web security auditing toolkit) versions prior to 0.48.0 that allows attackers to hijack the authentication flow and achieve remote code execution. An attacker can load Caido on an attacker-controlled domain through DNS rebinding attacks, either during initial setup or by re-initiating the authentication flow on an already-configured instance. The vulnerability requires user interaction (UI:R) but poses high impact (C:H, I:H, A:H) with a CVSS score of 7.5, and the patch is available in version 0.48.0.

RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-48053 HIGH PATCH This Week

Denial-of-service vulnerability in Discourse that allows unauthenticated remote attackers to reduce the availability of a Discourse instance by sending malicious URLs in private messages to bot users. The vulnerability affects Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed), with a CVSS 7.5 rating indicating high severity. No known public exploits or workarounds are currently available, but patches have been released.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy