Skip to main content
CVE-2024-37396 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability.

XSS Redcap
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-37394 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability.

XSS Redcap
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-57189 MEDIUM POC PATCH This Month

In Erxes <1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler.

Path Traversal Erxes
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-37395 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.

XSS Redcap
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-36852 CRITICAL POC Act Now

CVE-2025-36852 is a security vulnerability (CVSS 9.4) that allows any contributor with pull request privileges. Critical severity with potential for significant impact on affected systems.

Authentication Bypass Google
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2025-27505 MEDIUM POC PATCH This Month

GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. This vulnerability is fixed in 2.26.3 and 2.25.6. As a workaround, in ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer.

Authentication Bypass Geoserver
NVD GitHub
CVSS 3.1
5.3
EPSS
0.4%
CVE-2025-5935 MEDIUM POC PATCH This Month

A vulnerability was found in Open5GS up to 2.7.3. It has been declared as problematic. Affected by this vulnerability is the function common_register_state of the file src/mme/emm-sm.c of the component AMF/MME. The manipulation of the argument ran_ue_id leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 62cb99755243c9c38e4c060c5d8d0e158fe8cdd5. It is recommended to apply a patch to fix this issue.

Denial Of Service Debian Open5gs
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-38524 MEDIUM POC PATCH This Month

GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6.

Information Disclosure Geoserver
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-49455 CRITICAL PATCH Act Now

Critical deserialization of untrusted data vulnerability in LoftOcean TinySalt that enables object injection attacks. This vulnerability affects TinySalt versions prior to 3.10.0 and allows unauthenticated remote attackers to achieve complete system compromise (confidentiality, integrity, and availability impact) with no user interaction required. The attack vector is network-based with low complexity, resulting in a CVSS 9.8 critical severity rating; exploitation status and POC availability cannot be confirmed from provided data, but the vulnerability's remote and unauthenticated nature suggests high real-world exploitability.

Deserialization
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2024-34711 CRITICAL PATCH Act Now

CVE-2024-34711 is an improper URI validation vulnerability in GeoServer that allows unauthenticated attackers to bypass XML External Entity (XXE) filtering and perform information disclosure attacks against internal networks. The vulnerability affects GeoServer versions prior to 2.25.0, where a weak regex pattern in the PreventLocalEntityResolver class fails to adequately block malicious URIs, enabling attackers to make arbitrary HTTP requests and scan internal infrastructure. With a CVSS score of 9.3 and high exploitation probability, this vulnerability poses a significant risk for network reconnaissance and potential lateral movement attacks.

Authentication Bypass Geoserver
NVD GitHub
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-47172 HIGH PATCH This Week

SQL injection vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotely without user interaction. The vulnerability affects SharePoint deployments where an authorized user can craft malicious SQL commands through improperly neutralized input fields. This is a high-severity issue (CVSS 8.8) with significant confidentiality, integrity, and availability impact, particularly concerning given SharePoint's role as a critical enterprise collaboration platform.

Microsoft SQLi Exchange RCE Sharepoint Enterprise Server +1
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2025-43698 CRITICAL Act Now

A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.

Salesforce Privilege Escalation Information Disclosure
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-33064 HIGH PATCH This Week

Heap-based buffer overflow vulnerability in Windows Routing and Remote Access Service (RRAS) that allows authenticated network attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. This is a critical vulnerability affecting RRAS implementations across Windows Server and client operating systems; exploitation requires valid credentials but no user interaction, making it suitable for lateral movement and privilege escalation scenarios within compromised networks.

Microsoft Buffer Overflow Windows Server 2025 Windows 11 23h2 Windows 10 1507 +13
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2025-48937 MEDIUM POC PATCH This Month

matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. matrix-sdk-crypto since version 0.8.0 and up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those events appear to the recipient as if they were sent by another user. This vulnerability is fixed in 0.11.1 and 0.12.0.

Authentication Bypass Suse
NVD GitHub
CVSS 3.1
4.9
EPSS
0.1%
CVE-2024-50562 MEDIUM POC This Month

An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.

Fortinet Information Disclosure
NVD Exploit-DB
CVSS 3.1
4.8
EPSS
0.4%
CVE-2025-33066 HIGH PATCH This Week

Heap-based buffer overflow vulnerability in Windows Routing and Remote Access Service (RRAS) that allows unauthenticated remote attackers to execute arbitrary code over the network with user interaction. This is a critical network-accessible vulnerability affecting Windows systems running RRAS; successful exploitation grants the attacker complete system compromise with high confidentiality, integrity, and availability impact. The CVSS 8.8 score reflects the severity, though real-world exploitation probability and active KEV status would determine if this is actively weaponized.

Microsoft Buffer Overflow Windows 11 23h2 Windows 10 1809 Windows Server 2019 +13
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-5943 HIGH This Week

MicroDicom DICOM Viewer contains an out-of-bounds write vulnerability (CWE-787) that allows remote attackers to execute arbitrary code with high integrity and confidentiality impact (CVSS 8.8). The vulnerability requires user interaction-either visiting a malicious website or opening a crafted DICOM file-making it exploitable in realistic attack scenarios. No active exploitation in the wild (KEV) or public POC has been confirmed at this time, but the network-accessible attack vector and low complexity suggest meaningful real-world risk.

Buffer Overflow RCE
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-27818 HIGH PATCH This Week

A remote code execution vulnerability in A possible security vulnerability (CVSS 8.8). High severity vulnerability requiring prompt remediation.

Deserialization Java Apache LDAP RCE +3
NVD GitHub HeroDevs
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-5353 HIGH This Week

Credential disclosure vulnerability in Ivanti Workspace Control versions before 10.19.10.0, where a hardcoded cryptographic key enables local authenticated attackers to decrypt stored SQL database credentials. This allows privilege escalation and lateral movement within enterprise environments. With a CVSS score of 8.8 and local attack vector requiring authentication, exploitation requires internal access but poses significant risk to SQL database security and overall system compromise.

Information Disclosure Ivanti Authentication Bypass Workspace Control
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-22455 HIGH This Week

Cryptographic weakness in Ivanti Workspace Control prior to version 10.19.0.0 that uses a hardcoded encryption key to protect SQL database credentials stored locally. A local authenticated attacker with user-level privileges can exploit this to decrypt and extract stored SQL credentials without elevated permissions, potentially leading to lateral movement and data exfiltration. The CVSS 8.8 score reflects high severity due to confidentiality and integrity impacts across system boundaries, though exploitation requires local access and valid authentication.

Information Disclosure Ivanti Authentication Bypass Workspace Control
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-4601 HIGH This Week

The RH - Real Estate WordPress Theme contains an Improper Access Control vulnerability (CWE-269) that allows authenticated subscribers and higher-privileged users to escalate their account privileges to administrator level through the inspiry_update_profile() function. All versions up to and including 4.4.0 are affected; versions 4.4.0 contain a partial patch while 4.4.1 provides complete remediation. With a CVSS score of 8.8 and network-based attack vector requiring only low-privilege authentication, this represents a critical privilege escalation risk for any WordPress installation using this theme.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-4387 HIGH This Week

The Abandoned Cart Pro for WooCommerce plugin (versions ≤9.16.0) contains an authenticated arbitrary file upload vulnerability in the wcap_add_to_cart_popup_upload_files function that lacks file type validation. Authenticated attackers with subscriber-level privileges can upload arbitrary files to the server, potentially enabling remote code execution depending on server configuration. This is a high-severity vulnerability (CVSS 8.8) affecting WooCommerce e-commerce sites; exploitation requires valid user credentials but no user interaction.

WordPress File Upload RCE PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-47849 HIGH PATCH This Week

A privilege escalation vulnerability in Apache CloudStack (CVSS 8.8) that allows the attacker. High severity vulnerability requiring prompt remediation.

Apache Privilege Escalation Information Disclosure Cloudstack
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-47713 HIGH PATCH This Week

A privilege escalation vulnerability in Apache CloudStack (CVSS 8.8) that allows the attacker. High severity vulnerability requiring prompt remediation.

Apache Privilege Escalation Denial Of Service Information Disclosure Cloudstack
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-42982 HIGH This Week

Privilege escalation vulnerability in SAP GRC that allows authenticated non-administrative users to access and initiate transactions capable of modifying system credentials. This critical flaw compromises confidentiality, integrity, and availability across the application, with a CVSS score of 8.8 indicating high severity. The vulnerability requires valid credentials to exploit but has no privilege requirements beyond basic user access, making it a significant risk in environments with broad GRC user bases.

SAP Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-0051 HIGH This Week

Improper input validation vulnerability in Pure Storage FlashArray's authentication process that enables unauthenticated network-based denial of service attacks. The vulnerability allows remote attackers without credentials to crash or degrade the availability of affected FlashArray systems by sending malformed authentication requests. This is a high-severity issue (CVSS 8.7) with network accessibility and no authentication requirements, making it broadly exploitable across internet-exposed or network-accessible FlashArray deployments.

Denial Of Service
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-46840 HIGH This Week

CVE-2025-46840 is an Improper Authorization vulnerability in Adobe Experience Manager (AEM) versions 6.5.22 and earlier that allows low-privileged attackers to escalate privileges and bypass security controls, potentially achieving session takeover. The vulnerability requires user interaction and has a CVSS score of 8.7 with high confidentiality and integrity impact. While no active exploitation in the wild (KEV status) or public proof-of-concept is currently documented, the network-accessible attack vector and low attack complexity combined with privilege escalation capabilities make this a high-priority patch candidate for organizations running affected AEM instances.

Adobe Privilege Escalation Authentication Bypass Experience Manager
NVD
CVSS 3.1
8.7
EPSS
0.1%
CVE-2025-46837 HIGH This Week

Adobe Experience Manager (AEM) versions 6.5.22 and earlier contain a reflected Cross-Site Scripting (XSS) vulnerability in form field handling that allows low-privileged attackers to inject malicious JavaScript. When a victim visits a page containing the vulnerable field with attacker-controlled input, the script executes in their browser context, enabling session hijacking and credential theft. The vulnerability has a CVSS score of 8.7 (High) and requires user interaction but no special privileges beyond basic AEM access.

Adobe XSS Information Disclosure Experience Manager
NVD
CVSS 3.1
8.7
EPSS
0.1%
CVE-2025-4680 HIGH PATCH This Week

CVE-2025-4680 is an improper input validation vulnerability in upKeeper Solutions' upKeeper Instant Privilege Access that allows attackers with local access and low privileges to bypass access control security levels and achieve high-impact confidentiality, integrity, and availability violations. Versions before 1.4.0 are affected. With a CVSS score of 8.6 and local attack vector requiring user interaction, this represents a significant privilege escalation risk for organizations using this privileged access management solution, particularly if KEV status indicates active exploitation or public POC availability.

Information Disclosure
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-4681 HIGH PATCH This Week

CVE-2025-4681 is an Improper Privilege Management vulnerability in upKeeper Solutions' upKeeper Instant Privilege Access that allows authenticated local attackers with low privileges to escalate permissions and achieve high-impact confidentiality, integrity, and availability violations. This affects all versions of upKeeper Instant Privilege Access before 1.4.0, and the CVSS 8.6 severity combined with local attack vector and low privilege requirements indicates a significant real-world threat to organizations using this privilege access management solution.

Information Disclosure
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-42983 HIGH This Week

High-severity authentication bypass vulnerability in SAP Business Warehouse and SAP Plug-In Basis that allows authenticated attackers to drop arbitrary database tables, resulting in data loss or system unavailability. The vulnerability requires valid credentials but no user interaction, affecting systems across the network with a CVSS score of 8.5. While integrity impact is limited (attacker cannot read data), availability impact is severe, making this a critical integrity and availability threat for SAP deployments.

SAP Denial Of Service Privilege Escalation
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-47167 HIGH PATCH This Week

Type confusion vulnerability in Microsoft Office that allows unauthenticated local attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability exploits improper resource access due to incompatible type handling, requiring no user interaction or privileges. This is a critical local code execution vector affecting Microsoft Office installations.

Microsoft Authentication Bypass Memory Corruption
NVD VulDB
CVSS 3.1
8.4
EPSS
0.5%
CVE-2025-47953 HIGH PATCH This Week

A security vulnerability in Use after free in Microsoft Office (CVSS 8.4) that allows an unauthorized attacker. High severity vulnerability requiring prompt remediation.

Microsoft Denial Of Service
NVD VulDB
CVSS 3.1
8.4
EPSS
0.4%
CVE-2025-47164 HIGH PATCH This Week

Use-after-free (UAF) vulnerability in Microsoft Office that allows unauthenticated local attackers to execute arbitrary code with no user interaction required. The vulnerability affects multiple Microsoft Office versions and has a CVSS score of 8.4 (High), indicating severe risk with high impact to confidentiality, integrity, and availability. Without publicly disclosed EPSS data or KEV confirmation provided, the actual exploitation likelihood in the wild remains unconfirmed, though the local attack vector and lack of privilege/interaction requirements suggest moderate real-world exploitability once weaponized.

Use After Free Microsoft Denial Of Service Memory Corruption
NVD VulDB
CVSS 3.1
8.4
EPSS
0.3%
CVE-2025-47162 HIGH PATCH This Week

Heap-based buffer overflow vulnerability in Microsoft Office that allows unauthenticated local attackers to execute arbitrary code with high privileges. The vulnerability affects Microsoft Office products across multiple versions and requires no user interaction or special privileges to exploit. With a CVSS score of 8.4 and local attack vector, this represents a severe local privilege escalation and code execution risk; exploitation status and real-world activity should be verified against KEV catalogs and EPSS scoring.

Microsoft Buffer Overflow Heap Overflow
NVD VulDB
CVSS 3.1
8.4
EPSS
0.3%
CVE-2025-33067 HIGH PATCH This Week

Local privilege escalation vulnerability in the Windows Kernel stemming from improper privilege management (CWE-269), allowing an unauthenticated attacker with local system access to escalate privileges without user interaction. This affects multiple Windows versions and has a CVSS 8.4 severity rating indicating high confidentiality, integrity, and availability impact. The vulnerability's low attack complexity (AC:L) and lack of privilege requirements (PR:N) indicate it is relatively straightforward to exploit for any local attacker.

Microsoft Privilege Escalation Windows Windows 10 22h2 Windows 10 1809 +11
NVD
CVSS 3.1
8.4
EPSS
0.3%
CVE-2025-36574 HIGH PATCH This Week

Dell Wyse Management Suite versions prior to 5.2 contain an Absolute Path Traversal vulnerability (CWE-36) that allows unauthenticated remote attackers to read arbitrary files and gain unauthorized access without user interaction. The CVSS 8.2 score reflects high confidentiality impact and low integrity impact, with network-based attack vector requiring no privileges or interaction. No KEV/CISA active exploitation data, EPSS score, or public POC is currently confirmed in available intelligence, but the unauthenticated remote nature and path traversal primitive warrant immediate patching.

Authentication Bypass Information Disclosure Path Traversal Dell Wyse Management Suite
NVD
CVSS 3.1
8.2
EPSS
1.2%
CVE-2025-47110 HIGH PATCH This Week

Adobe Commerce versions 2.4.8 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-47110, CVSS 8.4) in form field validation that allows high-privileged attackers to inject malicious JavaScript into the application. When other high-privileged users view pages containing the injected payload, the malicious script executes in their browser context, potentially compromising confidentiality, integrity, and availability across multiple privileged accounts. The vulnerability requires high privileges to exploit but affects other high-privileged users, making it a significant concern in multi-admin environments.

Adobe XSS Privilege Escalation Magento Commerce +1
NVD
CVSS 3.1
8.4
EPSS
0.2%
CVE-2025-33112 HIGH This Week

Local privilege escalation vulnerability in IBM AIX 7.3 and IBM VIOS 4.1.1's Perl implementation that allows non-privileged local users to execute arbitrary code through improper pathname neutralization (path traversal). With a CVSS score of 8.4 and no authentication requirement, this represents a critical risk for AIX environments where local user access exists. The vulnerability's active exploitation status and proof-of-concept availability would significantly elevate real-world risk.

RCE IBM Privilege Escalation Path Traversal Aix +1
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-0052 HIGH This Week

CVE-2025-0052 is an improper input validation vulnerability in Pure Storage FlashBlade's authentication process that allows unauthenticated network attackers to trigger a denial of service condition with high availability impact. While the CVSS score of 8.3 reflects significant availability risk, the high attack complexity (AC:H) suggests practical exploitation requires specific conditions. No confirmed KEV/CISA status, active exploitation, or public POC has been disclosed at the time of analysis.

Denial Of Service
NVD
CVSS 4.0
8.3
EPSS
0.1%
CVE-2025-47977 HIGH PATCH This Week

Cross-site scripting (XSS) vulnerability in the Nuance Digital Engagement Platform that allows unauthenticated attackers to inject malicious scripts into web pages generated by the platform. This vulnerability enables spoofing attacks and potential credential theft or session hijacking over the network with only user interaction required. With a CVSS score of 8.2 and network-accessible attack vector, this represents a significant risk to organizations deploying Nuance's engagement platform, particularly given the high impact on confidentiality and cross-site scope implications.

XSS Nuance Digital Engagement Platform
NVD
CVSS 3.1
8.2
EPSS
0.4%
CVE-2025-23192 HIGH PATCH This Week

Stored Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects BI Workspace that allows unauthenticated attackers to inject and persist malicious JavaScript code within workspaces. When authenticated users access compromised workspaces, the malicious script executes in their browser context, potentially exposing sensitive session tokens, cookies, and user data. The vulnerability has a CVSS score of 8.2 (High) with significant confidentiality impact; while KEV/EPSS data and active exploitation status are not provided in available intelligence, the attack requires user interaction and authentication context, moderating real-world severity despite the high CVSS rating.

SAP XSS Information Disclosure Businessobjects Business Intelligence
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2025-43585 HIGH PATCH This Week

Adobe Commerce versions 2.4.8 and earlier contain an improper authorization vulnerability (CWE-285) that allows unauthenticated attackers to bypass security features and gain unauthorized access to sensitive functionality. This vulnerability has a high integrity impact and can be exploited remotely without user interaction, making it a critical priority for Adobe Commerce administrators. The 8.2 CVSS score combined with the network-accessible attack vector and lack of authentication requirements indicates significant real-world risk.

Adobe Authentication Bypass PHP Magento Commerce B2b +1
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-33071 HIGH PATCH This Week

Use-after-free memory corruption vulnerability in Windows KDC Proxy Service (KPSSVC) that allows unauthenticated network attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability affects Windows systems running the Kerberos KDC Proxy Service and represents a critical remote code execution risk in Active Directory environments. While specific KEV/POC status and EPSS scores are not provided in the source data, the network attack vector combined with high CVSS 8.1 score and remote code execution capability indicates this is a significant priority for organizations relying on Windows authentication infrastructure.

Use After Free Microsoft Windows RCE Windows Server 2022 23h2 +5
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-3052 HIGH This Week

Critical arbitrary write vulnerability in Microsoft-signed UEFI firmware that permits attackers with high privileges to execute untrusted code and modify firmware settings stored in NVRAM, potentially enabling persistence mechanisms and full system compromise. The vulnerability affects UEFI implementations across multiple Microsoft platforms, with a CVSS score of 8.2 reflecting high severity. While specific KEV status and EPSS probability data were not provided in available sources, the local attack vector and high privilege requirement suggest this poses elevated risk primarily to targeted systems rather than widespread exploitation.

Microsoft RCE Red Hat
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-33070 HIGH PATCH This Week

Use-of-uninitialized-resource vulnerability in Windows Netlogon that allows unauthenticated network attackers to achieve privilege escalation through a complex exploitation path. The vulnerability affects Windows systems running Netlogon services and enables remote code execution with high impact on confidentiality, integrity, and availability. Given the network-based attack vector and lack of authentication requirements, this represents a significant threat to networked Windows environments, though exploitation requires specific conditions (high attack complexity).

Microsoft Authentication Bypass Windows 11 24h2 Windows 10 1607 Windows 10 1809 +13
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-29828 HIGH PATCH This Week

Memory management vulnerability in Windows Cryptographic Services where memory is not properly released after its effective lifetime, enabling unauthenticated remote code execution. The vulnerability affects Windows cryptographic components and allows network-based attackers to execute arbitrary code with high complexity requirements. While the CVSS score of 8.1 indicates significant severity, exploitation requires specific conditions (high attack complexity), and current status regarding KEV listing, EPSS score, and public POC availability is unknown pending official Microsoft advisory release.

Microsoft Windows RCE Memory Corruption Windows 11 24h2 +5
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-32710 HIGH PATCH This Week

Use-after-free vulnerability in Windows Remote Desktop Services (RDS) that allows unauthenticated network attackers to execute arbitrary code with high complexity requirements. The vulnerability affects Windows systems running RDS and represents a critical remote code execution risk; exploitation requires network access but no user interaction, though attack complexity is rated as high. If this CVE has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, it indicates active exploitation in the wild and should be treated as an immediate priority.

Microsoft Windows Use After Free Windows Server 2025 Windows Server 2022 23h2 +6
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-49454 HIGH PATCH This Week

PHP Local File Inclusion (LFI) vulnerability in LoftOcean TinySalt versions before 3.10.0, caused by improper control of filenames in PHP include/require statements (CWE-98). An unauthenticated remote attacker can exploit this network-accessible vulnerability with moderate complexity to read arbitrary files, execute code, and potentially achieve remote code execution, though exploitation requires specific conditions due to high attack complexity. The vulnerability has not been confirmed as actively exploited in the wild (KEV status unknown), but represents a critical risk for exposed TinySalt installations.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-35940 HIGH This Week

Critical authentication bypass vulnerability in ArchiverSpaApi ASP.NET applications caused by hard-coded JWT signing keys. An unauthenticated remote attacker can forge valid JWT tokens to bypass authentication and gain unauthorized access to protected API endpoints, potentially leading to data exfiltration, modification, or denial of service. The CVSS 8.1 score reflects high confidentiality, integrity, and availability impact, though the attack complexity is rated as high, suggesting some technical prerequisites.

Authentication Bypass .NET Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
Prev Page 2 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy