Skip to main content
CVE-2025-49586 HIGH POC PATCH This Week

A remote code execution vulnerability in XWiki (CVSS 8.8). Risk factors: public PoC available. Vendor patch is available.

RCE Xwiki
NVD GitHub
CVSS 3.1
8.8
EPSS
4.6%
CVE-2025-49581 HIGH POC PATCH This Week

Critical privilege escalation vulnerability in XWiki that allows any user with page edit rights to execute arbitrary code (Groovy, Python, Velocity) with programming-level privileges by creating malicious wiki macros. An attacker can exploit wiki macro parameter defaults to inject code into high-privilege pages like XWiki.ChildrenMacro, achieving full XWiki installation compromise. The vulnerability affects XWiki versions prior to 16.4.7, 16.10.3, and 17.0.0; patch availability is confirmed across multiple release branches.

Python RCE Xwiki
NVD GitHub
CVSS 3.1
8.8
EPSS
1.6%
CVE-2025-49582 HIGH POC PATCH This Week

XWiki's macro rights analyzer introduced in version 15.9RC1 contains incomplete validation that allows attackers to hide malicious script macros (Groovy, Python) by exploiting non-lowercase parameter handling and unanalyzed macro parameters. An authenticated attacker with limited privileges can inject hidden malicious macros that execute when a higher-privileged user edits the page, enabling remote code execution. This vulnerability affects XWiki versions 15.9RC1 through 16.4.6, 16.10.0-16.10.2, and 16.x-17.0.0-rc1, with patches available in versions 16.4.7, 16.10.3, and 17.0.0.

Python RCE Xwiki
NVD GitHub
CVSS 3.1
8.0
EPSS
0.6%
CVE-2025-49580 HIGH POC PATCH GHSA This Week

Privilege escalation vulnerability in XWiki where pages can unexpectedly gain script or programming rights when they contain links to pages that are subsequently renamed or moved. This allows attackers with low privileges to execute arbitrary scripts embedded in XObjects that should have been restricted, potentially leading to complete system compromise. The vulnerability affects XWiki versions 8.2 through 17.0.x and requires user interaction (page visit) to trigger, with patches available in 17.1.0-rc-1, 16.10.4, and 16.4.7.

Information Disclosure Xwiki
NVD GitHub
CVSS 3.1
8.0
EPSS
0.3%
CVE-2025-49587 HIGH POC PATCH This Week

Stored XSS vulnerability in XWiki affecting versions before 15.10.16, 16.4.7, and 16.10.2. An unprivileged user can inject malicious content into the NotificationDisplayerClass object of a document, which is then rendered as raw HTML when an administrator edits and saves the document, enabling XSS attacks with high integrity and confidentiality impact. The vulnerability requires low attack complexity and user interaction (admin action), with a CVSS score of 8.0 indicating significant real-world risk.

XSS Xwiki
NVD GitHub
CVSS 3.1
8.0
EPSS
0.3%
CVE-2025-49585 HIGH POC PATCH This Week

A security vulnerability in versions (CVSS 8.0). Risk factors: public PoC available. Vendor patch is available.

RCE Privilege Escalation Code Injection Xwiki
NVD GitHub
CVSS 3.1
8.0
EPSS
0.3%
CVE-2025-28382 HIGH POC This Week

Directory traversal vulnerability in OpenC3 COSMOS versions before 6.1.0 that allows unauthenticated remote attackers to read arbitrary files from the server via the openc3-api/tables endpoint. This high-severity issue (CVSS 7.5) enables confidentiality breaches without requiring authentication or user interaction, potentially exposing sensitive configuration files, credentials, and operational data managed by the COSMOS command and control system.

Path Traversal Cosmos
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2025-28381 HIGH POC This Week

A security vulnerability in OpenC3 COSMOS (CVSS 7.5) that allows attackers. Risk factors: public PoC available.

Information Disclosure Cosmos
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-49584 HIGH POC PATCH This Week

A security vulnerability in XWiki Platform (CVSS 7.5) that allows an attacker. Risk factors: public PoC available. Vendor patch is available.

Information Disclosure Xwiki
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-5491 HIGH This Week

Remote code execution vulnerability in Acer ControlCenter that exploits a misconfigured Windows Named Pipe to allow authenticated attackers with low privileges to execute arbitrary code with SYSTEM-level permissions. The vulnerability has a CVSS score of 8.8 (High) and requires only network access and low privileges, making it a significant elevation-of-privilege vector; real-world exploitation likelihood depends on confirmation of active KEV listing and public exploit availability.

Microsoft RCE Windows
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-4232 HIGH PATCH This Week

CVE-2025-4232 is an improper neutralization of wildcards vulnerability in Palo Alto Networks GlobalProtect app for macOS that allows non-administrative users to escalate privileges to root through the log collection feature. With a CVSS score of 8.8 and requiring only low complexity remote network access with low privileges, this vulnerability presents a critical privilege escalation risk. The attack requires user interaction only at the network level (not UI) and affects the confidentiality, integrity, and availability of affected systems.

Paloalto Globalprotect macOS Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-48918 HIGH PATCH This Week

Stored/Reflected Cross-Site Scripting (XSS) vulnerability in Drupal Simple Klaro module versions before 1.10.0 that fails to properly neutralize user input during web page generation. An unauthenticated remote attacker can inject malicious scripts that execute in victims' browsers with high impact on confidentiality and integrity, though the attack requires user interaction (clicking a malicious link). The vulnerability has a high CVSS score of 8.8 due to its network-based attack vector and broad scope, but real-world exploitation likelihood depends on KEV/EPSS data not provided in available intelligence.

XSS Drupal PHP Simple Klaro
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-25215 HIGH PATCH This Week

A security vulnerability in the cv_close functionality of Dell ControlVault3 (CVSS 8.8). High severity vulnerability requiring prompt remediation.

Dell Memory Corruption Use After Free
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-24922 HIGH PATCH This Week

Stack-based buffer overflow vulnerability in Dell ControlVault3's securebio_identify functionality that allows local attackers with low privileges to execute arbitrary code with high impact across the system. The vulnerability affects ControlVault3 versions prior to 5.15.10.14 and ControlVault3 Plus versions prior to 6.2.26.36, and can be triggered via a specially crafted API call with a malicious cv_object parameter.

Buffer Overflow RCE Dell
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-25050 HIGH PATCH This Week

CVE-2025-25050 is an out-of-bounds write vulnerability in Dell ControlVault3 and ControlVault 3 Plus that allows a local, authenticated attacker to trigger memory corruption through a specially crafted API call to the cv_upgrade_sensor_firmware function. An attacker with local access and low privileges can achieve high-impact compromise including complete confidentiality, integrity, and availability violations. The vulnerability affects all versions prior to ControlVault3 5.15.10.14 and ControlVault 3 Plus 6.2.26.36; exploitation requires local access and valid user credentials but no user interaction.

Buffer Overflow Dell
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-36633 HIGH PATCH This Week

Local privilege escalation vulnerability in Tenable Agent for Windows (versions prior to 10.8.5) that allows non-administrative users to arbitrarily delete system files with SYSTEM privileges. This vulnerability has a CVSS score of 8.8 (High) and could enable local attackers to compromise system integrity and gain elevated privileges. The attack requires local access but no user interaction, making it a significant risk for multi-user Windows systems running vulnerable Tenable Agent versions.

Microsoft Privilege Escalation Nessus Agent Windows
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-49468 HIGH This Week

A SQL injection vulnerability (CWE-89) exists in the No Boss Calendar Joomla component versions prior to 5.0.7, allowing authenticated users with high privileges to execute arbitrary SQL commands through the id_module parameter. The vulnerability has a CVSS 4.0 score of 8.6 with high impact on confidentiality, integrity, and availability of the database. While the attack requires high-privilege authenticated access, successful exploitation could lead to complete database compromise, data exfiltration, or system takeover.

SQLi Joomla PHP
NVD
CVSS 4.0
8.6
EPSS
0.2%
CVE-2025-48915 HIGH PATCH This Week

Cross-Site Scripting (XSS) vulnerability in Drupal's COOKiES Consent Management module that allows unauthenticated remote attackers to inject and execute malicious scripts during web page generation. All versions from 0.0.0 before 1.2.15 are affected. The vulnerability has a high CVSS score of 8.6 with no authentication or user interaction required, enabling attackers to compromise confidentiality, modify page content, and degrade availability. The network-based attack vector and low complexity indicate this is likely actively exploitable in real-world deployments.

XSS Drupal PHP Cookies Consent Management
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-48914 HIGH PATCH This Week

Stored/Reflected Cross-Site Scripting (XSS) vulnerability in Drupal's COOKiES Consent Management module (versions before 1.2.15) that allows unauthenticated attackers to inject malicious scripts into web pages due to improper input neutralization. The vulnerability has a CVSS score of 8.6 (High severity) with network-based attack vector requiring no privileges or user interaction, enabling attackers to compromise confidentiality, integrity, and availability of affected sites. No active KEV or widespread public PoC data is available in standard vulnerability databases, suggesting limited real-world exploitation at time of analysis, though the high CVSS and ease of exploitation (AV:N/AC:L/PR:N/UI:N) warrant immediate patching.

XSS Drupal PHP Cookies Consent Management
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-4230 HIGH PATCH This Week

Command injection vulnerability in Palo Alto Networks PAN-OS that allows authenticated administrators with CLI access to bypass system restrictions and execute arbitrary commands with root privileges. The vulnerability affects on-premises PAN-OS deployments with CVSS 8.4, but risk is significantly reduced in environments where CLI access is restricted to a limited administrative group. Cloud NGFW and Prisma Access are not affected.

Paloalto Command Injection RCE Privilege Escalation
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2025-24311 HIGH PATCH This Week

A information disclosure vulnerability in the cv_send_blockdata functionality of Dell ControlVault3 (CVSS 8.4). High severity vulnerability requiring prompt remediation.

Buffer Overflow Information Disclosure Dell
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-36631 HIGH PATCH This Week

Privilege escalation vulnerability in Tenable Agent for Windows (versions prior to 10.8.5) that allows non-administrative users to overwrite arbitrary system files with log content while executing at SYSTEM privilege level. This vulnerability enables local attackers without admin rights to achieve arbitrary file write operations with elevated privileges, potentially leading to system compromise. The vulnerability has a CVSS score of 8.4 (High) and affects Windows deployments; patch availability exists in version 10.8.5 and later.

Microsoft Information Disclosure Nessus Agent Windows
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-24919 HIGH PATCH This Week

Critical deserialization vulnerability in Dell ControlVault3 that allows unauthenticated local attackers to achieve arbitrary code execution by sending specially crafted responses to the cvhDecapsulateCmd functionality. The vulnerability affects ControlVault3 prior to version 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. An attacker who can compromise ControlVault firmware or intercept responses can trigger remote code execution with system-level privileges, making this a high-impact vulnerability despite the moderate attack complexity requirement.

Deserialization RCE Dell
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-22239 HIGH PATCH This Week

CVE-2025-22239 is an arbitrary event injection vulnerability in SaltStack's master node that allows an authorized minion to inject malicious events onto the master's event bus via the '_minion_event' method. This affects Salt Master deployments where minions have event publishing capabilities, enabling authenticated attackers to manipulate internal event flows and potentially trigger unintended master behaviors. The CVSS 8.1 score reflects high confidentiality and integrity impact with local attack vector, though exploitation requires prior authentication as an authorized minion.

Code Injection Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-22236 HIGH PATCH This Week

CVE-2025-22236 is an authorization bypass vulnerability in SaltStack Minion's event bus that allows an attacker with valid minion key credentials to craft specially-crafted messages and execute arbitrary jobs on other minions within the same Salt infrastructure. Affecting SaltStack versions 3007.0 and later, this vulnerability has a CVSS score of 8.1 (High) and requires high privileges but can escalate impact across the entire minion network. The vulnerability represents a critical lateral movement and privilege escalation vector in Salt deployments, though exploitation requires pre-existing minion key compromise.

Authentication Bypass Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-5282 HIGH PATCH This Week

The WP Travel Engine plugin for WordPress contains a missing capability check in the delete_package() function, allowing unauthenticated attackers to delete arbitrary posts without authentication. This vulnerability affects all versions up to and including 6.5.1 and results in unauthorized data loss with a CVSS score of 7.5. The vulnerability is network-accessible with no user interaction required, making it a significant integrity risk for WordPress installations running vulnerable plugin versions.

WordPress PHP Privilege Escalation Wp Travel Engine
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-30399 HIGH PATCH This Week

CVE-2025-30399 is an untrusted search path vulnerability in .NET and Visual Studio that allows unauthenticated remote attackers to execute arbitrary code through a network vector, requiring user interaction. The vulnerability affects multiple versions of .NET Framework and Visual Studio across Windows platforms. While the CVSS score is 7.5 (high), the attack complexity is high and requires user interaction, potentially limiting real-world exploitation frequency.

Microsoft .NET RCE Powershell Visual Studio 2022 +3
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48920 HIGH PATCH This Week

Stored/Reflected Cross-Site Scripting (XSS) vulnerability in the Drupal etracker module that allows unauthenticated remote attackers to inject malicious scripts into web pages without requiring user interaction. The vulnerability affects etracker versions prior to 3.1.0, enabling attackers to steal session tokens, perform unauthorized actions, or redirect users to malicious sites. The CVSS 7.3 score and network-accessible attack vector indicate this is a significant vulnerability affecting any Drupal installation with the vulnerable etracker module enabled.

XSS Drupal PHP Etracker
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-39240 HIGH This Week

CVE-2025-39240 is an authenticated remote command execution vulnerability in Hikvision Wireless Access Points caused by insufficient input validation in packet handling. Attackers with valid credentials can send crafted packets to execute arbitrary commands on affected devices, potentially achieving full system compromise. The vulnerability has a CVSS 7.2 score reflecting high confidentiality, integrity, and availability impact, though it requires valid authentication credentials to exploit.

Command Injection Hikvision RCE Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-4231 HIGH PATCH This Week

Command injection vulnerability in Palo Alto Networks PAN-OS that allows an authenticated administrative user to execute arbitrary commands with root privileges. The vulnerability requires network access to the management web interface and successful authentication, making it a post-authentication remote code execution flaw. While the CVSS score of 7.2 is moderately high, the requirement for administrative credentials significantly limits its practical exploitability in most environments.

Paloalto Command Injection Privilege Escalation Pan Os
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-47959 HIGH PATCH This Week

Command injection vulnerability in Visual Studio that allows an authenticated attacker with local user interaction to execute arbitrary code over a network with high impact on confidentiality, integrity, and availability. While the vulnerability requires prior authorization and user interaction, successful exploitation could lead to complete system compromise. No public indication of active exploitation or widespread POC availability is currently documented, but the CVSS 7.1 score reflects significant risk in collaborative development environments where multiple authorized users access shared Visual Studio instances.

Command Injection Microsoft Windows RCE Visual Studio 2022
NVD
CVSS 3.1
7.1
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy