Skip to main content
CVE-2025-30317 HIGH This Week

Heap-based buffer overflow vulnerability in Adobe InDesign Desktop that allows arbitrary code execution when a user opens a malicious file. Affected versions include InDesign ID20.2, ID19.5.3, and earlier. The vulnerability requires user interaction but presents high severity risk (CVSS 7.8) with potential for complete system compromise in the context of the affected user's privileges.

Buffer Overflow RCE Adobe Indesign
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33056 HIGH PATCH This Week

Network-accessible denial-of-service vulnerability in Microsoft's Local Security Authority Server (lsasrv) caused by improper access control (CWE-284). An unauthenticated remote attacker can exploit this with low complexity to render the LSA service unavailable, affecting authentication and security policy enforcement on affected Windows systems. The CVSS 7.5 severity reflects the high availability impact; however, real-world risk depends on EPSS score, KEV candidacy status, and active exploitation data not provided in the source materials.

Microsoft Windows Denial Of Service Windows Server 2022 Windows 11 22h2 +13
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2025-40591 HIGH This Week

A security vulnerability in A vulnerability (CVSS 7.7). High severity vulnerability requiring prompt remediation.

Command Injection Siemens RCE Information Disclosure Privilege Escalation +1
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-37100 HIGH This Week

Path traversal vulnerability in HPE Aruba Networking Private 5G Core APIs that allows authenticated users to iteratively navigate the filesystem and download sensitive system files. The vulnerability affects the Private 5G Core platform with a CVSS score of 7.7 (high severity) due to confidentiality impact across system boundaries. While requiring low-privilege authentication and network access, successful exploitation directly exposes protected system files containing sensitive configuration and credential data.

Path Traversal Information Disclosure
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-42977 HIGH This Week

SAP NetWeaver Visual Composer contains a directory traversal vulnerability (CWE-22) that allows high-privileged users to bypass path validation controls and read or modify arbitrary files on the system. The vulnerability affects SAP NetWeaver Visual Composer across supported versions and has a CVSS score of 7.6 due to high confidentiality impact and network-accessible attack vector, though exploitation requires high privileges (PR:H). Exploitation likelihood and KEV/POC status cannot be confirmed from available data, but the high-privilege prerequisite significantly reduces real-world exploitability compared to the base CVSS score suggests.

SAP Path Traversal Information Disclosure
NVD
CVSS 3.1
7.6
EPSS
0.3%
CVE-2024-43706 HIGH PATCH This Week

CVE-2024-43706 is an improper authorization vulnerability in Kibana's Synthetic monitor endpoint that allows authenticated users to escalate privileges through direct HTTP requests. Attackers with low-level credentials can bypass access controls to perform unauthorized actions on synthetic monitoring functionality, potentially affecting confidentiality, integrity, and availability. While the CVSS 7.6 score indicates significant risk, real-world impact depends on deployment context and whether this vulnerability is actively exploited in the wild.

Elastic Privilege Escalation Authentication Bypass Kibana
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-27819 HIGH PATCH This Week

A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Denial Of Service Apache Java RCE Authentication Bypass +3
NVD GitHub HeroDevs
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-36575 HIGH PATCH This Week

A information disclosure vulnerability in an Exposure of Sensitive Information (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Information Disclosure Dell Wyse Management Suite
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-43701 HIGH This Week

CVE-2025-43701 is an Improper Preservation of Permissions vulnerability in Salesforce OmniStudio FlexCards that allows unauthenticated network attackers to read Custom Settings data without authorization. Affecting OmniStudio versions before 254, this high-severity flaw (CVSS 7.5) enables direct exposure of sensitive configuration data through a low-complexity attack requiring no user interaction or privileges. While KEV status and active exploitation details are not available in provided data, the combination of high CVSS score, unauthenticated attack vector, and direct confidentiality impact indicates significant real-world risk to Salesforce deployments storing sensitive configuration in Custom Settings.

Information Disclosure Salesforce Privilege Escalation
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-43700 HIGH This Week

CVE-2025-43700 is an Improper Preservation of Permissions vulnerability in Salesforce OmniStudio FlexCards that allows unauthenticated network-based attackers to expose encrypted data without requiring user interaction. This high-impact confidentiality breach (CVSS 7.5) affects OmniStudio versions prior to Spring 2025 release and represents a significant risk to organizations using FlexCards for sensitive data handling, particularly given the low attack complexity and absence of privilege requirements.

Information Disclosure Salesforce Privilege Escalation
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-43697 HIGH This Week

Improper Preservation of Permissions vulnerability in Salesforce OmniStudio's DataMapper component that allows unauthenticated network-based attackers to expose encrypted data without requiring user interaction. The vulnerability affects OmniStudio versions prior to Spring 2025 and carries a CVSS 7.5 (High) severity rating. While specific KEV status and EPSS data were not provided in the intelligence sources, the high CVSS score combined with unauthenticated access (AV:N, PR:N) indicates this is a significant exposure risk for organizations using affected OmniStudio deployments.

Information Disclosure Salesforce Privilege Escalation
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-42995 HIGH This Week

Denial-of-service vulnerability in SAP MDM Server's Read function that allows unauthenticated network attackers to trigger memory read access violations by sending specially crafted packets, causing the server process to crash and become unavailable. The vulnerability affects SAP MDM Server with a CVSS score of 7.5 (high severity) but is limited to availability impact with no confidentiality or integrity compromise. Status of active exploitation (KEV) and proof-of-concept availability are not specified in available intelligence.

SAP Denial Of Service Memory Corruption
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-42994 HIGH This Week

Denial-of-service vulnerability in SAP MDM Server's ReadString function that allows unauthenticated remote attackers to trigger memory read access violations causing unexpected server process termination. The vulnerability affects SAP Master Data Management (MDM) Server and has a CVSS score of 7.5 with high availability impact; no confidentiality or integrity compromise occurs. This is a network-accessible denial-of-service vector with low attack complexity and no authentication requirements, making it a significant availability risk for organizations deploying SAP MDM infrastructure.

SAP Denial Of Service Memory Corruption
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-40662 HIGH PATCH This Week

CVE-2025-40662 is an absolute path disclosure vulnerability in DM Corporative CMS that exposes sensitive filesystem information when an attacker requests non-existent files within the webroot/file directory. This high-severity information disclosure (CVSS 7.5) affects DM Corporative CMS users and allows unauthenticated remote attackers to enumerate and discover the absolute filesystem paths of the application, which typically precedes further exploitation. The vulnerability has not been confirmed as actively exploited in the wild (KEV status unknown from provided data), but represents a significant reconnaissance vector with minimal attack complexity.

Information Disclosure Path Traversal Dm Corporative Cms
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-40661 HIGH PATCH This Week

CVE-2025-40661 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthenticated attackers to bypass authentication and access the private administrative area by manipulating the 'option' parameter (values 0, 1, or 2) in the /administer/selectionnode/selection.asp endpoint. The vulnerability has a CVSS score of 7.5 (High) with high confidentiality impact, indicating potential exposure of sensitive administrative data. No KEV status, EPSS score, or confirmed POC availability was provided in the source data, limiting definitive assessment of active exploitation.

Information Disclosure Dm Corporative Cms
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-40660 HIGH PATCH This Week

CVE-2025-40660 is a security vulnerability (CVSS 7.5) that allows an attacker. High severity vulnerability requiring prompt remediation.

Information Disclosure Dm Corporative Cms
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-40659 HIGH PATCH This Week

CVE-2025-40659 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthenticated attackers to bypass access controls and view the private administrative area by manipulating the 'option' parameter (values 0, 1, or 2) in the /administer/selectionnode/framesSelectionNetworks.asp endpoint. This high-severity vulnerability (CVSS 7.5) has a high confidentiality impact but does not enable data modification or service disruption. No active exploitation in the wild (KEV) or public proof-of-concept has been confirmed in available intelligence, but the vulnerability's simplicity and unauthenticated attack vector make it a significant priority for affected organizations.

Information Disclosure Dm Corporative Cms
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-40658 HIGH PATCH This Week

CVE-2025-40658 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthenticated remote attackers to bypass access controls and view private administrative areas by manipulating the 'option' parameter (values 0, 1, or 2) in the /administer/selectionnode/framesSelection.asp endpoint. The vulnerability has a CVSS 3.1 score of 7.5 (High) with high confidentiality impact, no privilege requirement, and no user interaction needed, making it a significant authentication bypass risk for affected CMS installations.

Information Disclosure Dm Corporative Cms
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-44044 HIGH This Week

Keyoti SearchUnit versions prior to 9.0.0 contain an XML External Entity (XXE) injection vulnerability that allows unauthenticated remote attackers to exfiltrate sensitive files from affected systems. The vulnerability has a CVSS 3.1 score of 7.5 (High) with a network attack vector, no privileges required, and no user interaction needed. While no public POC or active in-the-wild exploitation has been widely documented, the straightforward attack vector and high confidentiality impact make this a significant risk for organizations running vulnerable SearchUnit instances.

XXE
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-30145 HIGH PATCH This Week

Denial-of-service vulnerability in GeoServer that allows unauthenticated remote attackers to execute malicious Jiffle scripts, causing infinite loops and service unavailability. Affected versions are GeoServer prior to 2.25.7, 2.26.3, and 2.27.0. The vulnerability is triggered through WMS dynamic styling or WPS processes and requires no authentication or user interaction, making it easily exploitable by remote attackers.

Denial Of Service Geoserver
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-32721 HIGH PATCH This Week

Privilege escalation vulnerability in Windows Recovery Driver caused by improper symlink/hardlink resolution (CWE-59: link following) that allows an authenticated local attacker to elevate privileges to SYSTEM level. The vulnerability requires user interaction and local code execution capability but provides complete system compromise once exploited. With a CVSS score of 7.3 and local attack vector, this poses significant risk to multi-user Windows systems, particularly in enterprise environments where standard users have local access.

Microsoft Windows Privilege Escalation Windows Server 2025 Windows 11 23h2 +11
NVD
CVSS 3.1
7.3
EPSS
0.2%
CVE-2025-22463 HIGH This Week

Cryptographic weakness in Ivanti Workspace Control versions before 10.19.10.0 where a hardcoded encryption key is embedded in the application, allowing authenticated local attackers to decrypt stored environment passwords. This vulnerability enables privilege escalation and lateral movement within affected environments. The CVSS 7.3 score reflects high confidentiality and integrity impact, though exploitation requires local access and user authentication; KEV and active exploitation status are not confirmed in available intelligence.

Information Disclosure Ivanti Privilege Escalation Workspace Control
NVD
CVSS 3.1
7.3
EPSS
0.2%
CVE-2024-13089 HIGH PATCH This Week

CVE-2024-13089 is an OS command injection vulnerability in the update functionality of Nozomi Networks Guardian and CMC appliances that allows authenticated administrators to bypass signature validation and execute arbitrary OS commands. While the vulnerability requires high-privilege administrative access, the improper cryptographic signature validation on update packages creates a critical integrity bypass that could lead to complete system compromise. The attack is network-accessible with no user interaction required once an administrator initiates an update.

Command Injection
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-5740 HIGH This Week

Path traversal vulnerability (CWE-22) in a web application that allows authenticated users with high privileges to write arbitrary files to the system by manipulating file paths. While the CVSS score of 7.2 indicates moderate-to-high severity with high impact to confidentiality, integrity, and availability, the requirement for authenticated high-privilege access (PR:H) significantly constrains real-world exploitability. Active exploitation status, public POC availability, and EPSS score are unknown from the provided data, limiting definitive risk prioritization.

Path Traversal
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-31104 HIGH This Week

FortiADC versions 6.1 through 7.6.1 contain an OS command injection vulnerability (CWE-78) that allows authenticated attackers with high privileges to execute arbitrary code through crafted HTTP requests. The vulnerability affects multiple product versions across several release branches, with a CVSS score of 7.2 indicating high severity. While the attack requires authentication and high-level privileges, successful exploitation results in complete system compromise with confidentiality, integrity, and availability impact.

Command Injection Fortinet Fortigate RCE Authentication Bypass +1
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-49142 HIGH PATCH This Week

A remote code execution vulnerability in Nautobot (CVSS 7.1). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Python Authentication Bypass Nautobot
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26395 HIGH PATCH This Week

Stored/reflected cross-site scripting (XSS) vulnerability in SolarWinds Observability Self-Hosted caused by insufficient input sanitization in URL parameters. The vulnerability affects authenticated administrators and requires user interaction to exploit, allowing attackers with admin credentials to inject malicious scripts that execute in victim browsers with network-scoped impact (C:H, I:L, A:L). There is no indication of active exploitation in the wild (KEV status unknown) or public proof-of-concept availability based on available data.

XSS Authentication Bypass Observability Self Hosted
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49511 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in uxper Civi Framework versions up to 2.1.6 that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability has a CVSS score of 7.1 (High) with high availability impact and integrity impact, though it requires user interaction (UI:R) to exploit. Without confirmed KEV status or EPSS data, the actual exploitation likelihood remains uncertain, but the network-accessible attack vector and low complexity suggest moderate real-world risk for organizations running affected Civi Framework versions.

CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-4678 HIGH PATCH This Week

CVE-2025-4678 is an OS command injection vulnerability in Pandora ITSM 5.0.105 where the chromium_path variable fails to properly neutralize special elements, allowing authenticated attackers with high privileges to execute arbitrary system commands. With a CVSS score of 7.0 and network-accessible attack vector, this vulnerability poses a significant risk to affected deployments, particularly if the system is exposed to untrusted administrative users or if privilege escalation chains exist.

Command Injection
NVD
CVSS 4.0
7.0
EPSS
0.3%
CVE-2024-13090 HIGH PATCH This Week

Privilege escalation vulnerability affecting service accounts through excessively permissive sudo rules that could allow elevation to administrative privileges. The vulnerability requires local access and lower privileges to exploit (CVSS 7.0), but notably, no actual exploitation vector has been identified in the wild. While the CVSS score indicates high impact potential, the absence of a confirmed attack vector and lack of active exploitation signals suggest this is a configuration hardening issue rather than an immediately critical threat.

Privilege Escalation Linux
NVD
CVSS 3.1
7.0
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy