Skip to main content
CVE-2025-6021 HIGH POC PATCH CISA Act Now

Stack-based buffer overflow in libxml2's xmlBuildQName function allows remote unauthenticated attackers to crash affected systems via crafted XML input. The vulnerability affects libxml2 directly and downstream Red Hat products including OpenShift Container Platform 4.12-4.19, RHEL 7-10, and JBoss Core Services. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N), EPSS 0.75% (73rd percentile), and publicly available exploit code, this represents a moderate real-world risk focused on availability disruption rather than code execution or data compromise.

Buffer Overflow Denial Of Service Integer Overflow Libxml2 Jboss Core Services +18
NVD
CVSS 3.1
7.5
EPSS
0.8%
Threat
5.0
CVE-2025-4613 HIGH POC PATCH This Week

Path traversal vulnerability in Google Web Designer's template handling mechanism that enables remote code execution when users are socially engineered into downloading malicious ad templates. Versions prior to 16.3.0.0407 on Windows are affected, and the vulnerability requires user interaction (UI:R) but has no authentication requirements (PR:N). While CVSS 8.8 indicates high severity with complete confidentiality, integrity, and availability impact, exploitation probability and KEV status information is not provided in the available intelligence.

RCE Path Traversal Google Windows Web Designer
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-46035 HIGH POC This Week

A buffer overflow vulnerability exists in Tenda AC6 router firmware version 15.03.05.16 that allows unauthenticated remote attackers to trigger a denial of service condition by sending oversized parameters (schedStartTime and schedEndTime) to the /goform/openSchedWifi endpoint. The vulnerability is network-accessible without authentication or user interaction, making it trivially exploitable for DoS attacks against affected routers. While the CVSS score indicates high severity (7.5), the actual impact appears limited to availability (DoS only), with no confirmed code execution or data disclosure capability.

Buffer Overflow Denial Of Service Ac6 Firmware Tenda
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-0673 HIGH POC PATCH CERT-EU This Week

A denial of service vulnerability in GitLab CE/EE affecting all (CVSS 7.5) that allows an attacker. Risk factors: public PoC available.

Gitlab Denial Of Service Open Redirect
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-5012 HIGH This Week

A file upload vulnerability in all (CVSS 8.8). High severity vulnerability requiring prompt remediation.

WordPress RCE Workreap PHP
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2025-49199 HIGH This Week

CVE-2025-49199 is a security vulnerability (CVSS 8.8) that allows the attacker. High severity vulnerability requiring prompt remediation.

Information Disclosure Authentication Bypass Denial Of Service Field Analytics
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-4278 HIGH PATCH CERT-EU This Week

CVE-2025-4278 is an HTML injection vulnerability in GitLab CE/EE versions 18.0.0 through 18.0.1 that allows authenticated attackers to inject malicious HTML through the new search page. Under specific conditions, this vulnerability can escalate to account takeover by leveraging user interaction (UI requirement), with a CVSS score of 8.7 indicating high severity. The vulnerability requires low attack complexity and network accessibility, making it a significant risk for organizations running affected GitLab versions.

Gitlab Code Injection
NVD
CVSS 3.1
8.7
EPSS
0.1%
CVE-2025-2254 HIGH PATCH CERT-EU This Week

Cross-Site Scripting (XSS) vulnerability in GitLab's snippet viewer functionality caused by improper output encoding, affecting versions 17.9-17.10.7, 17.11-17.11.3, and 18.0-18.0.1. An authenticated attacker with UI interaction from a victim can execute arbitrary JavaScript in the context of the victim's browser session, potentially stealing session tokens, performing unauthorized actions, or stealing sensitive data. The CVSS score of 8.7 (High) reflects network accessibility and significant impact on confidentiality and integrity, though exploitation requires user interaction and authenticated access.

Gitlab XSS
NVD
CVSS 3.1
8.7
EPSS
0.1%
CVE-2025-49181 HIGH This Week

CVE-2025-49181 is an authorization bypass vulnerability in an unspecified API endpoint that allows unauthenticated remote attackers to read sensitive information via HTTP GET requests and modify service configuration (log paths, TCP ports) via HTTP POST requests, potentially causing denial of service. With a CVSS score of 8.6 and network-accessible attack vector requiring no authentication, this vulnerability presents a significant risk to exposed instances; KEV/EPSS/POC status cannot be confirmed from provided data, warranting immediate investigation of affected infrastructure.

Denial Of Service Authentication Bypass Information Disclosure Media Server
NVD
CVSS 3.1
8.6
EPSS
0.2%
CVE-2025-5485 HIGH This Week

User enumeration vulnerability affecting web management interfaces where usernames are limited to device identifiers (10-digit numerical values). An unauthenticated remote attacker can enumerate valid user accounts by systematically testing digit sequences, potentially gaining information disclosure and limited system manipulation capabilities. The CVSS 8.6 rating reflects high confidentiality impact, though patch status and active exploitation details require vendor-specific assessment.

Information Disclosure Authentication Bypass Brute Force
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-5484 HIGH This Week

A remote code execution vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.

Information Disclosure
NVD
CVSS 3.1
8.3
EPSS
0.1%
CVE-2025-27689 HIGH PATCH This Week

Dell iDRAC Tools versions prior to 11.3.0.0 contain an improper access control vulnerability (CWE-284) that allows low-privileged local attackers to escalate privileges without user interaction. The CVSS 7.8 score reflects high confidentiality, integrity, and availability impact. While no CVE-2025-27689 entry exists in public KEV catalogs or active exploitation databases at this time, the local attack vector with low complexity and low privilege requirements indicates this is a practical privilege escalation risk for organizations running vulnerable iDRAC Tool versions on multi-user systems.

Dell Privilege Escalation Idrac Tools
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-49182 HIGH PATCH This Week

Critical credential exposure vulnerability where admin login credentials and property configuration passwords are embedded directly in source code, enabling unauthenticated remote attackers to gain full administrative access to the affected application. The vulnerability has a CVSS score of 7.5 (High) with a network attack vector requiring no privileges or user interaction. While specific KEV/EPSS data and POC availability are not provided in the input, the presence of hardcoded credentials in source code represents a severe and often easily discoverable weakness that typically sees rapid exploitation once disclosed.

Information Disclosure Authentication Bypass Media Server
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-49184 HIGH This Week

A information disclosure vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Information Disclosure Authentication Bypass Field Analytics Baggage Analytics Package Analytics +3
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-49080 HIGH PATCH This Week

Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated, network-based attackers to trigger a Denial of Service condition by sending specially crafted packet sequences. The vulnerability requires no privileges or user interaction and has high availability impact (complete service disruption), though no data confidentiality or integrity risk. This is a critical operational risk for organizations dependent on Absolute Secure Access for remote connectivity.

Denial Of Service Memory Corruption Buffer Overflow Secure Access
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-49194 HIGH This Week

Cleartext credential transmission vulnerability where a server accepts authentication methods that transmit credentials over unencrypted channels, allowing network-based attackers to intercept and expose user credentials without requiring authentication or user interaction. The vulnerability affects any server implementation supporting plaintext credential transmission over HTTP or other unencrypted protocols. This is a high-severity confidentiality issue (CVSS 7.5) with network-accessible attack vector and no complexity requirements, making it exploitable by unauthenticated remote attackers through passive network interception.

Information Disclosure Authentication Bypass Media Server
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-49183 HIGH This Week

CVE-2025-49183 is an unencrypted HTTP communication vulnerability in a REST API that exposes all traffic to network-level interception, allowing unauthenticated attackers to gather sensitive information and exfiltrate media files without authentication or user interaction required. The vulnerability affects systems using unencrypted REST API endpoints and carries a CVSS 7.5 score reflecting high confidentiality impact; real-world exploitation risk depends on network positioning and whether the affected API handles sensitive data or privileged operations.

Information Disclosure Media Server
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-43866 HIGH PATCH This Week

vantage6 servers auto-generate JWT secret keys using UUID1, a predictable algorithm that lacks cryptographic strength, allowing attackers to forge authentication tokens and gain unauthorized access to the privacy-preserving analysis platform. This affects all vantage6 versions prior to 4.11.0 where users have not manually defined a strong JWT secret. The vulnerability has a CVSS score of 7.5 with high confidentiality impact, as attackers can impersonate legitimate users without needing privileges or user interaction.

Information Disclosure Python Authentication Bypass Vantage6
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-6031 HIGH This Week

Critical SSL pinning bypass vulnerability in the deprecated Amazon Cloud Cam that allows unauthenticated attackers on the same network to intercept and modify device traffic by associating the camera to an arbitrary network during its default pairing state. The vulnerability affects all Amazon Cloud Cam units, which reached end-of-life on December 2, 2022, and are no longer receiving security updates. An attacker can exploit this to eavesdrop on video streams, modify device configuration, or potentially gain unauthorized access to associated AWS infrastructure.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-55567 HIGH This Week

CVE-2024-55567 is an improper input validation vulnerability in the UsbCoreDxe module of Insyde InsydeH2O firmware that allows authenticated local attackers with high privileges to bypass SMM (System Management Mode) protections and execute arbitrary code at the highest firmware privilege level. This affects multiple kernel versions (5.4, 5.5, 5.6, 5.7) across numerous OEM BIOS implementations, enabling complete system compromise including kernel-level code execution and memory access. While CVSS rates this as 7.5 (high), real-world exploitation requires local access and administrative/BIOS-level privileges, though no public POC or active KEV designation has been confirmed.

RCE Insydeh2o
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-7562 HIGH This Week

CVE-2024-7562 is an elevated privilege vulnerability in InstallShield-generated Standalone MSI installers when multiple InstallScript custom actions are configured. An authenticated local attacker can exploit this to gain high-privilege code execution on the target system. All supported versions (InstallShield 2023 R2, 2022 R2, and 2021 R2) are affected; KEV status and active exploitation data were not provided in available intelligence sources, though the local attack vector and privilege escalation impact suggest moderate real-world risk.

Information Disclosure
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-44019 HIGH CISA This Week

CVE-2025-44019 is an uncaught exception vulnerability in AVEVA PI Data Archive that allows authenticated users to crash critical subsystems, causing denial of service and potential data loss in write caches. The vulnerability affects AVEVA PI Data Archive products across multiple versions and requires valid credentials to exploit, making it a medium-to-high risk for organizations relying on AVEVA's industrial data infrastructure.

Denial Of Service
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-36573 HIGH PATCH This Week

Dell Smart Dock Firmware versions prior to 01.00.08.01 contain an insertion of sensitive information into log file vulnerability (CWE-532) that allows local attackers without privileges to read confidential data through log file access. This is a moderate-to-high severity information disclosure issue (CVSS 7.1) affecting physical/local access scenarios; while not remotely exploitable, the lack of privilege requirements and cross-system scope impact make this a meaningful risk for shared device environments.

Information Disclosure Dell Pro Smart Dock Sd25 Firmware Pro Thunderbolt 4 Smart Dock Sd25tb4 Firmware
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-35978 HIGH This Week

Privilege escalation vulnerability in UpdateNavi and UpdateNaviInstallService that allows local authenticated attackers to modify arbitrary registry values or execute arbitrary code through improper communication channel restrictions. Affected versions include UpdateNavi V1.4 L10-L33 and UpdateNaviInstallService 1.2.0091-1.2.0125. With a CVSS score of 7.1 and local attack vector requiring low privileges, this vulnerability poses significant risk to systems running vulnerable versions, particularly in scenarios where local user accounts have network access or elevation paths.

RCE Privilege Escalation Windows
NVD
CVSS 3.0
7.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy