Skip to main content
CVE-2024-56158 CRITICAL PATCH Act Now

Critical SQL injection vulnerability in XWiki that allows unauthenticated remote attackers to execute arbitrary SQL queries against Oracle databases by exploiting insufficient validation of native SQL functions (DBMS_XMLGEN, DBMS_XMLQUERY) in Hibernate query processing. The vulnerability affects XWiki versions before 16.10.2, 16.4.7, and 15.10.16, with a CVSS score of 9.8 indicating critical severity and complete compromise of confidentiality, integrity, and availability. This is a pre-authentication remote code execution vector with no user interaction required.

Oracle Information Disclosure Xwiki
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-4973 CRITICAL Act Now

A authentication bypass vulnerability in all (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

WordPress Authentication Bypass PHP Workreap
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2022-4976 CRITICAL Act Now

Archive::Unzip::Burst, a Perl module for ZIP file extraction (versions 0.01-0.09), bundles a vulnerable version of the InfoZip library affected by three critical memory corruption vulnerabilities (CVE-2014-8139, CVE-2014-8140, CVE-2014-8141). An unauthenticated remote attacker can exploit these vulnerabilities by crafting a malicious ZIP file to achieve arbitrary code execution with a CVSS score of 9.8, representing critical severity. The vulnerability requires no user interaction or special privileges and can be exploited over the network.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-43863 CRITICAL PATCH Act Now

Critical authentication bypass vulnerability in vantage6 (an open-source federated learning and privacy-enhancing technology framework) that allows attackers with valid authenticated session access to brute-force user passwords through the change password endpoint without rate limiting or account lockout protections. An attacker can enumerate passwords infinitely by calling the password change route repeatedly, receiving detailed error messages indicating password correctness. The vulnerability affects vantage6 versions prior to 4.11 and carries a CVSS score of 9.8 (critical severity).

Information Disclosure Vantage6
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49467 CRITICAL Act Now

Critical unauthenticated SQL injection vulnerability in the JEvents component for Joomla that allows remote attackers to execute arbitrary SQL queries through publicly accessible date range filtering actions. The vulnerability affects JEvents versions before 3.6.88 and 3.6.82.1, enabling attackers to extract sensitive database information, modify data, or potentially achieve remote code execution. With a CVSS score of 9.3 and network-based attack vector requiring no privileges or user interaction, this represents a severe risk to all unpatched Joomla installations using vulnerable JEvents versions.

SQLi Joomla PHP
NVD
CVSS 4.0
9.3
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy