Skip to main content
CVE-2025-33053 HIGH POC KEV PATCH THREAT Act Now

Windows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables remote code execution over a network. KEV-listed with EPSS 48.5% and public PoC, this vulnerability allows attackers to craft malicious .url files that execute arbitrary code when opened, bypassing the security restrictions normally applied to internet-sourced shortcut files.

Microsoft Windows RCE Path Traversal Windows Server 2016 +14
NVD
CVSS 3.1
8.8
EPSS
48.5%
Threat
6.2
CVE-2025-33073 HIGH POC KEV PATCH THREAT Act Now

Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attackers to escalate privileges over the network. KEV-listed with EPSS 57.6% and public PoC, this vulnerability in the core Windows file sharing protocol affects every Windows system on the network, enabling lateral movement from any compromised domain account to SYSTEM-level access on SMB-accessible systems.

Microsoft Information Disclosure Windows Server 2022 Windows 11 24h2 Windows 10 21h2 +14
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
57.6%
Threat
6.5
CVE-2025-4653 HIGH POC PATCH THREAT Act Now

OS command injection vulnerability in the backup name field of Pandora ITSM 5.0.105 that results from improper neutralization of special elements (CWE-77). An authenticated attacker with high privileges can inject arbitrary OS commands through the backup name parameter, potentially achieving code execution with high confidentiality impact. The CVSS 7.0 score reflects the requirement for privileged access (PR:H), but the network-accessible attack vector (AV:N) and low attack complexity (AC:L) indicate this is a practical threat in enterprise environments where administrative accounts may be compromised or abused.

Command Injection
NVD
CVSS 4.0
7.0
EPSS
34.7%
CVE-2025-30220 CRITICAL POC PATCH Act Now

A remote code execution vulnerability in GeoServer (CVSS 9.9) that allows users. Risk factors: public PoC available. Vendor patch is available.

XXE Geonetwork Geotools Geoserver
NVD GitHub
CVSS 3.1
9.9
EPSS
8.4%
CVE-2025-27817 HIGH POC PATCH THREAT Act Now

A SSRF vulnerability in A possible arbitrary file read and SSRF vulnerability (CVSS 7.5) that allows clients. Risk factors: EPSS 17% exploitation probability.

Apache SSRF Kafka Red Hat Suse
NVD HeroDevs GitHub
CVSS 3.1
7.5
EPSS
17.5%
CVE-2025-47166 HIGH POC PATCH This Week

Critical deserialization vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotely with high impact to confidentiality, integrity, and availability. The vulnerability affects SharePoint environments where an authorized user can submit malicious serialized objects, bypassing input validation due to unsafe deserialization practices (CWE-502). While the attack requires valid credentials (PR:L), the network-accessible attack vector (AV:N), low attack complexity (AC:L), and high CVSS score of 8.8 indicate significant real-world risk, particularly in organizations with broad internal user bases or federated access.

Microsoft Deserialization Exchange RCE Sharepoint Server +1
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
8.6%
CVE-2024-57190 CRITICAL POC PATCH Act Now

Erxes versions prior to 1.6.1 contain a critical authentication bypass vulnerability where attackers can impersonate any user by injecting arbitrary values into the 'User' HTTP header, gaining unauthorized access to all GraphQL endpoints. This CWE-284 (Incorrect Access Control) flaw requires no authentication credentials, no user interaction, and can be exploited over the network with trivial complexity, resulting in complete compromise of confidentiality, integrity, and availability (CVSS 9.8). The vulnerability likely has active exploitation potential given the simplicity of the attack vector and the critical nature of authentication bypass flaws in widely-deployed platforms.

Authentication Bypass Erxes
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-32724 HIGH PATCH Act Now

Windows Local Security Authority Subsystem Service (LSASS) contains an uncontrolled resource consumption vulnerability that allows unauthenticated remote attackers to cause a denial of service. Crashing or degrading LSASS disrupts all authentication and authorization on the affected Windows server, effectively taking the system offline.

Microsoft Authentication Bypass Windows 10 21h2 Windows Server 2012 Windows 11 24h2 +13
NVD
CVSS 3.1
7.5
EPSS
28.3%
CVE-2025-5907 HIGH POC This Week

Critical buffer overflow vulnerability in TOTOLINK EX1200T routers (firmware versions up to 4.1.2cu.5232_B20210713) affecting the HTTP POST request handler at the /boafrm/formFilter endpoint. An authenticated remote attacker can exploit this vulnerability to achieve remote code execution with full system compromise (confidentiality, integrity, and availability impact). The vulnerability has been publicly disclosed with exploit code available, creating immediate risk for deployed devices.

Buffer Overflow TP-Link RCE Ex1200t Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-5905 HIGH POC This Week

Critical buffer overflow vulnerability in TOTOLINK T10 firmware version 4.1.8cu.5207 affecting the WiFi repeater configuration function. An authenticated remote attacker can exploit this vulnerability by sending a malicious POST request with an oversized Password parameter to /cgi-bin/cstecgi.cgi, achieving complete compromise of the device including arbitrary code execution. Public disclosure and proof-of-concept code availability significantly elevate real-world risk despite requiring authenticated access.

Buffer Overflow TP-Link RCE T10 Firmware TOTOLINK
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-5904 HIGH POC This Week

A critical buffer overflow vulnerability exists in TOTOLINK T10 firmware version 4.1.8cu.5207 in the setWiFiMeshName function of the POST request handler (/cgi-bin/cstecgi.cgi). An authenticated remote attacker can overflow the device_name parameter to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability impact). Public exploit code is available, elevating real-world risk despite the requirement for authenticated access.

Buffer Overflow TP-Link RCE T10 Firmware TOTOLINK
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-5903 HIGH POC This Week

Critical buffer overflow vulnerability in TOTOLINK T10 firmware version 4.1.8cu.5207 affecting the setWiFiAclRules function in the POST request handler (/cgi-bin/cstecgi.cgi). An authenticated attacker can remotely exploit this vulnerability by manipulating the 'desc' parameter to achieve code execution with full system compromise (confidentiality, integrity, and availability impact). A public proof-of-concept exists, elevating real-world exploitation risk despite requiring low-privilege authentication.

Buffer Overflow TP-Link RCE T10 Firmware TOTOLINK
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-5978 HIGH POC This Week

A critical stack-based buffer overflow vulnerability exists in Tenda FH1202 firmware version 1.2.0.14 within the /goform/VirtualSer endpoint's fromVirtualSer function, triggered by unsanitized 'page' parameter manipulation. An authenticated attacker can exploit this remotely to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit disclosure and proof-of-concept availability significantly elevate real-world exploitation risk.

Buffer Overflow Fh1202 Firmware Tenda RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2025-5911 HIGH POC This Week

A buffer overflow vulnerability in TOTOLINK EX1200T (CVSS 8.8). Risk factors: public PoC available.

Buffer Overflow TP-Link RCE Ex1200t Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-5910 HIGH POC This Week

Critical buffer overflow vulnerability in TOTOLINK EX1200T routers (firmware versions up to 4.1.2cu.5232_B20210713) affecting the HTTP POST request handler at endpoint /boafrm/formWsc. An authenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability). The vulnerability has public exploit code available and may be actively exploited in the wild.

Buffer Overflow TP-Link RCE Ex1200t Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-5909 HIGH POC This Week

Critical buffer overflow vulnerability in TOTOLINK EX1200T wireless routers (up to firmware version 4.1.2cu.5232_B20210713) affecting the HTTP POST request handler for the /boafrm/formReflashClientTbl endpoint. An authenticated attacker can remotely exploit this vulnerability to achieve complete system compromise including confidentiality, integrity, and availability violations. Public exploit code has been disclosed, making this an active threat with demonstrated proof-of-concept availability.

Buffer Overflow TP-Link RCE Ex1200t Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-5908 HIGH POC This Week

Critical buffer overflow vulnerability in TOTOLINK EX1200T wireless routers (up to version 4.1.2cu.5232_B20210713) affecting the HTTP POST request handler for the /boafrm/formIpQoS endpoint. An authenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability). The exploit has been publicly disclosed and proof-of-concept code is available, making this a high-priority threat for affected deployments.

Buffer Overflow TP-Link RCE Ex1200t Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-5969 HIGH POC This Week

Critical stack-based buffer overflow vulnerability in D-Link DIR-632 firmware version FW103B08, affecting the HTTP POST request handler in the /biurl_grou component. An authenticated attacker can remotely exploit this vulnerability to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. Public exploit code has been disclosed and the affected product is no longer maintained by D-Link, significantly increasing real-world risk.

Buffer Overflow D-Link Dir 632 Firmware RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-5912 HIGH POC This Week

Critical stack-based buffer overflow vulnerability in D-Link DIR-632 firmware version FW103B08, affecting the HTTP POST Request Handler's do_file function. An authenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit code is available and the affected product is end-of-life with no vendor support.

Buffer Overflow D-Link RCE Dir 632 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-5934 HIGH POC This Week

A critical stack-based buffer overflow vulnerability (CVE-2025-5934) exists in Netgear EX3700 wireless extenders up to version 1.0.0.88, affecting the sub_41619C function in the /mtd file. An authenticated attacker can remotely exploit this vulnerability to achieve complete system compromise including confidentiality, integrity, and availability breaches. Public exploit code is available, and while the affected product line is no longer supported by Netgear, immediate patching to version 1.0.0.98 is critical for active deployments.

Buffer Overflow Netgear Ex3700 Firmware RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-33068 HIGH PATCH Act Now

Windows Standards-Based Storage Management Service contains an uncontrolled resource consumption vulnerability allowing unauthenticated network attackers to cause denial of service. The service manages storage operations and its disruption affects storage provisioning and management on Windows servers.

Microsoft Denial Of Service Windows Windows Server 2012 Windows Server 2019 +3
NVD
CVSS 3.1
7.5
EPSS
26.8%
CVE-2025-4954 HIGH POC This Week

A arbitrary file access vulnerability (CVSS 8.8). Risk factors: public PoC available.

WordPress PHP RCE Privilege Escalation Axle Demo Importer
NVD WPScan
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-29198 HIGH POC PATCH This Week

GeoServer contains a Server-Side Request Forgery (SSRF) vulnerability in the Demo request endpoint (TestWfsPost servlet) that allows unauthenticated network attackers to make arbitrary HTTP requests from the server when Proxy Base URL is not configured. This high-severity vulnerability (CVSS 7.5) affects GeoServer versions prior to 2.24.4 and 2.25.2, enabling attackers to access internal resources, cloud metadata endpoints, and potentially interact with backend systems.

Java SSRF Geoserver
NVD GitHub
CVSS 3.1
7.5
EPSS
6.4%
CVE-2025-47957 HIGH POC This Week

Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary code with high privileges. The vulnerability affects Word processing functionality and requires no user interaction, making it a critical local privilege escalation vector. Without confirmed KEV status or public POC availability, real-world exploitation likelihood should be assessed against EPSS data and patch availability from Microsoft security advisories.

Use After Free Microsoft Windows RCE Office Long Term Servicing Channel +1
NVD Exploit-DB
CVSS 3.1
8.4
EPSS
0.7%
CVE-2025-47163 HIGH PATCH Act Now

Critical deserialization vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotely without user interaction. The vulnerability affects SharePoint environments where untrusted data is deserialized, enabling network-based code execution with high impact to confidentiality, integrity, and availability. While no public exploit code has been confirmed in open intelligence sources, the CVSS 8.8 rating and low attack complexity suggest this is a high-priority patch for all affected organizations.

Microsoft Office365 Deserialization RCE Sharepoint Enterprise Server +1
NVD
CVSS 3.1
8.8
EPSS
16.9%
CVE-2025-47165 HIGH POC PATCH This Week

Use-after-free vulnerability in Microsoft Office Excel that allows local code execution with high severity (CVSS 7.8). An attacker with local access can trigger the vulnerability through user interaction (opening a malicious file) to execute arbitrary code with the privileges of the Excel process, potentially achieving full system compromise. No KEV status, active exploitation data, or public POC availability was confirmed in the provided dataset, but the high CVSS score and local attack vector indicate this requires prompt patching.

Use After Free Microsoft Windows RCE Excel +4
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.5%
CVE-2025-47175 HIGH POC PATCH This Week

Use-after-free vulnerability in Microsoft Office PowerPoint that allows an unauthenticated local attacker to execute arbitrary code with high integrity and confidentiality impact. The vulnerability requires user interaction (opening a malicious PowerPoint file) but no elevated privileges, making it accessible to standard user accounts. With a CVSS score of 7.8 and local attack vector, this represents a moderate-to-high severity risk for organizations where PowerPoint is widely deployed.

Microsoft Denial Of Service Office Powerpoint Office Long Term Servicing Channel +1
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.5%
CVE-2025-4840 HIGH POC This Week

A SQL injection vulnerability in through 1.0.0 does not properly sanitise and escape a parameter (CVSS 7.5). Risk factors: public PoC available.

WordPress SQLi PHP Likes And Dislikes
NVD WPScan
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-46612 HIGH POC This Week

CVE-2025-46612 is an unrestricted file upload vulnerability in Airleader Master and Easy versions prior to 6.36 that allows authenticated administrators to execute arbitrary commands on the server via malicious JSP file uploads through the Panel Designer dashboard. While requiring high-privilege credentials (administrator login), the vulnerability is particularly dangerous due to weak default credentials and the ease of exploitation. No active KEV designation or widespread POC availability has been confirmed, but the straightforward attack vector and high impact make this a significant priority for organizations using affected versions.

File Upload Easy Firmware
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2025-47171 MEDIUM POC PATCH This Month

Improper input validation in Microsoft Office Outlook allows an authorized attacker to execute code locally.

Microsoft Information Disclosure 365 Apps Office Long Term Servicing Channel Office +1
NVD Exploit-DB
CVSS 3.1
6.7
EPSS
2.5%
CVE-2024-41502 MEDIUM POC This Month

Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) via the form field "Observaces" (observances) in the "Pessoas" (persons) section when creating or editing either a legal or a natural person.

XSS Imobiliaria
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-41504 MEDIUM POC This Month

Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS). In the "Oportunidades" (opportunities) section of the application when creating or editing an "Atividade" (activity), the form field "Descrico" allows injection of JavaScript.

XSS Imobiliaria
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-41505 MEDIUM POC This Month

Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) in the "Pessoas" (persons) section via the field "Profisso" (professor).

XSS Imobiliaria
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-41503 MEDIUM POC This Month

Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting (XSS) in the field "Ttulo" (title) inside the filter Save option in the "Busca" (search) function.

XSS Imobiliaria
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-1041 CRITICAL PATCH Act Now

CVE-2025-1041 is a security vulnerability (CVSS 9.9) that allows an unauthorized remote command. Critical severity with potential for significant impact on affected systems.

Authentication Bypass Call Management System
NVD
CVSS 3.1
9.9
EPSS
0.2%
CVE-2025-2474 CRITICAL Act Now

A security vulnerability in the PCX image codec in QNX SDP (CVSS 9.8) that allows an unauthenticated attacker. Critical severity with potential for significant impact on affected systems.

Buffer Overflow Qnx Software Development Platform
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-40585 CRITICAL Act Now

Critical authentication bypass vulnerability affecting Energy Services products that use the G5DFR component, where default credentials allow unauthenticated remote attackers to gain full control and tamper with device outputs. The CVSS 9.9 score reflects the severe nature of this issue-no authentication required, network-accessible, with high integrity impact across system boundaries. This vulnerability poses an immediate threat to critical infrastructure and industrial control systems relying on Energy Services with G5DFR.

Authentication Bypass Information Disclosure
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-49507 CRITICAL PATCH Act Now

Critical deserialization of untrusted data vulnerability in LoftOcean CozyStay that enables object injection attacks. All versions before 1.7.1 are affected, allowing unauthenticated remote attackers to achieve complete system compromise (confidentiality, integrity, and availability impact) with no user interaction required. This is a network-exploitable vulnerability with CVSS 9.8 severity indicating maximum real-world risk.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-40657 CRITICAL PATCH Act Now

Critical unauthenticated SQL injection vulnerability in DM Corporative CMS affecting the /modules/forms/collectform.asp endpoint via the 'codform' parameter, allowing remote attackers to execute arbitrary SQL commands without authentication. This vulnerability enables complete database compromise including data exfiltration, modification, and deletion with a CVSS score of 9.8. The exploitation likelihood depends on patch availability and active threat actor interest, though the network-accessible nature and lack of authentication requirements make this a severe priority for affected organizations.

SQLi Dm Corporative Cms
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-40656 CRITICAL PATCH Act Now

Critical SQL injection vulnerability in DM Corporative CMS that allows unauthenticated remote attackers to execute arbitrary SQL commands through the 'cod' parameter in the /administer/node-selection/data.asp endpoint. This enables complete database compromise including unauthorized retrieval, creation, modification, and deletion of data. With a CVSS score of 9.8 and network-based attack vector requiring no authentication or user interaction, this represents an extremely high-severity threat to all exposed instances; exploitation status and proof-of-concept availability should be verified against current KEV and EPSS data.

SQLi Information Disclosure Dm Corporative Cms
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-40655 CRITICAL PATCH Act Now

Critical SQL injection vulnerability in DM Corporative CMS affecting the /antcatalogue.asp endpoint's 'name' parameter, allowing unauthenticated remote attackers to execute arbitrary SQL commands with complete database compromise (retrieval, creation, modification, deletion). With a CVSS 9.8 score, zero authentication requirements, and network-accessible attack surface, this vulnerability represents an immediate and severe risk to all exposed instances; exploitation likelihood is extremely high given the straightforward injection point and lack of input validation.

SQLi Information Disclosure Dm Corporative Cms
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-40654 CRITICAL PATCH Act Now

A critical SQL injection vulnerability (CVE-2025-40654) exists in DM Corporative CMS affecting the /antbuspre.asp endpoint, where the 'name' and 'cod' parameters are not properly sanitized. This unauthenticated, network-accessible vulnerability allows remote attackers to execute arbitrary SQL commands, enabling complete database compromise including data exfiltration, modification, and destruction. With a CVSS 9.8 score and network-exploitable attack surface, this represents a critical production risk if DM Corporative CMS is internet-facing.

SQLi Information Disclosure Dm Corporative Cms
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-42989 CRITICAL Act Now

Privilege escalation vulnerability in RFC inbound processing that fails to enforce proper authorization checks for authenticated users, allowing attackers to escalate privileges and critically compromise application integrity and availability. The vulnerability affects authenticated users (PR:L) with network accessibility (AV:N) and has a critical CVSS score of 9.6; without access to KEV, EPSS, or POC data, assessment indicates high real-world risk due to the low attack complexity (AC:L) and cross-boundary impact (S:C) combined with authentication bypass in authorization logic.

Privilege Escalation
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-5906 MEDIUM POC This Month

Critical authentication bypass vulnerability in code-projects Laundry System 1.0 affecting the /data/ endpoint, allowing unauthenticated remote attackers to read, modify, and potentially disrupt system availability. The vulnerability has been publicly disclosed with exploit code available, and while CVSS 7.3 indicates moderate-to-high severity, the network-based attack vector (AV:N), lack of privilege requirement (PR:N), and absence of user interaction (UI:N) make this immediately exploitable in production environments. Active exploitation is likely given public POC availability and the ease of attack execution.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2025-5985 MEDIUM POC This Month

Critical improper authentication vulnerability in code-projects School Fees Payment System version 1.0 that allows unauthenticated remote attackers to bypass authentication controls and gain unauthorized access to the system. The vulnerability has been publicly disclosed with proof-of-concept exploitation details available, making it an active threat with high likelihood of real-world exploitation against educational institutions and payment processing systems.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.2%
CVE-2025-5980 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects Restaurant Order System 1.0 affecting the /order.php file, specifically the 'tabidNoti' parameter. Remote unauthenticated attackers can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making active exploitation likely.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5979 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects School Fees Payment System version 1.0, specifically in the /branch.php file's ID parameter, allowing remote unauthenticated attackers to execute arbitrary SQL commands. The vulnerability has been publicly disclosed with proof-of-concept exploitation available, and while the CVSS score is 7.3 (High), the unauthenticated network-accessible attack vector combined with confirmed public exploit disclosure indicates active exploitation risk. This affects all deployments of the vulnerable version without patches applied.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5977 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects School Fees Payment System version 1.0, specifically in the /datatable.php file where the sSortDir_0 parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability of the underlying database. The vulnerability has been publicly disclosed with exploit code available, indicating active exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5913 MEDIUM POC This Month

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2024-57186 MEDIUM POC PATCH This Month

In Erxes <1.6.2, an unauthenticated attacker can read arbitrary files from the system using a Path Traversal vulnerability in the /read-file endpoint handler.

Path Traversal Erxes
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
Page 1 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy