Skip to main content
CVE-2025-5777 HIGH POC KEV PATCH THREAT CERT-EU Act Now

Citrix NetScaler ADC and Gateway contain an input validation vulnerability (CVE-2025-5777, CVSS 7.5) leading to memory overread when configured as VPN or AAA virtual server. KEV-listed with EPSS 69.8% and public PoC, this vulnerability enables remote unauthenticated attackers to read sensitive data from the appliance's memory, potentially exposing session tokens, credentials, and encryption keys — similar to the Heartbleed class of memory disclosure bugs.

Information Disclosure Citrix Memory Corruption Netscaler Gateway Netscaler Application Delivery Controller
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
69.8%
Threat
6.6
CVE-2025-34510 HIGH POC THREAT Act Now

Sitecore Experience Manager, Platform, and Commerce versions 9.0 through 10.4 contain a Zip Slip vulnerability that allows authenticated attackers to write arbitrary files outside the intended upload directory. By crafting ZIP archives with path traversal entries, attackers can overwrite application files and achieve remote code execution.

RCE Path Traversal Managed Cloud Experience Manager Experience Commerce +1
NVD
CVSS 3.1
8.8
EPSS
87.3%
Threat
5.9
CVE-2025-34511 HIGH POC THREAT Act Now

Sitecore PowerShell Extensions through version 7.0 allows authenticated users to upload arbitrary files including ASPX webshells via crafted HTTP requests. The unrestricted file upload bypasses content type restrictions, enabling remote code execution on the Sitecore IIS server with any authenticated account.

File Upload RCE Experience Manager Experience Commerce Experience Platform +1
NVD
CVSS 3.1
8.8
EPSS
78.7%
Threat
5.6
CVE-2025-34509 HIGH POC PATCH THREAT Act Now

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 through 10.4.1 contain a hardcoded administrative user account that allows unauthenticated remote attackers to gain unauthorized access to sensitive administrative APIs over HTTP without authentication. This vulnerability has a CVSS score of 7.5 (High) and enables confidentiality breach through direct API access; exploitation likelihood is high due to the low attack complexity and lack of authentication requirements.

Information Disclosure Experience Commerce Managed Cloud Experience Manager Experience Platform
NVD
CVSS 3.1
7.5
EPSS
23.2%
CVE-2025-49825 CRITICAL POC PATCH THREAT Act Now

Critical remote authentication bypass vulnerability affecting Teleport Community Edition versions 17.5.1 and earlier, allowing unauthenticated attackers to completely compromise authentication mechanisms over the network without any user interaction. With a CVSS score of 9.8 and no available open-source patch at disclosure, this vulnerability represents an immediate threat to all affected Teleport deployments, enabling full system compromise including confidentiality, integrity, and availability violations.

Authentication Bypass Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
11.5%
CVE-2025-3515 HIGH POC PATCH This Week

The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.8.9) contains an unrestricted file upload vulnerability allowing unauthenticated attackers to bypass file type blacklists and upload dangerous file extensions (.phar, etc.). On servers configured to execute .phar files as PHP (common in default Apache+mod_php setups), this enables remote code execution with high impact to confidentiality, integrity, and availability (CVSS 8.1). While KEV and EPSS data are not provided, the vulnerability is actively exploitable given its public disclosure and network-accessible attack vector.

WordPress PHP RCE Code Injection Drag And Drop Multiple File Upload Contact Form 7
NVD
CVSS 3.1
8.1
EPSS
4.6%
CVE-2025-6165 HIGH POC This Week

Critical buffer overflow vulnerability in TOTOLINK X15 firmware (version 1.0.0-B20230714.1105) affecting the HTTP POST request handler in the /boafrm/formTmultiAP endpoint. An authenticated remote attacker can exploit this vulnerability by manipulating the 'submit-url' parameter to achieve buffer overflow, resulting in complete compromise of the router (data theft, modification, and denial of service). Public exploit code is available and the vulnerability meets the profile of actively exploitable threats.

Buffer Overflow TP-Link RCE X15 Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-6164 HIGH POC This Week

Critical buffer overflow vulnerability in TOTOLINK A3002R router firmware version 4.0.0-B20230531.1404, affecting the HTTP POST request handler in the /boafrm/formMultiAP endpoint. An authenticated attacker can exploit improper input validation on the 'submit-url' parameter to achieve remote code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit code is available, increasing real-world exploitation risk.

Buffer Overflow TP-Link A3002r Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-6163 HIGH POC This Week

Critical buffer overflow vulnerability in TOTOLINK A3002RU routers (version 3.0.0-B20230809.1615 and potentially others) affecting the HTTP POST request handler at endpoint /boafrm/formMultiAP. An authenticated attacker can exploit this via a malicious 'submit-url' parameter to achieve remote code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit code exists and the vulnerability is actively exploitable.

Buffer Overflow TP-Link RCE A3002ru Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-6162 HIGH POC This Week

A buffer overflow vulnerability in A vulnerability (CVSS 8.8). Risk factors: public PoC available.

Buffer Overflow TP-Link RCE Ex1200t Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-6150 HIGH POC This Week

Critical remote buffer overflow vulnerability in TOTOLINK X15 router firmware (version 1.0.0-B20230714.1105) affecting the HTTP POST request handler for the /boafrm/formMultiAP endpoint. An authenticated attacker can exploit improper input validation on the 'submit-url' parameter to achieve complete system compromise including confidentiality, integrity, and availability breaches. A public proof-of-concept exists and the vulnerability is actively exploitable without user interaction.

Buffer Overflow TP-Link RCE X15 Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-6149 HIGH POC This Week

Critical buffer overflow vulnerability in TOTOLINK A3002R firmware version 4.0.0-B20230531.1404 affecting the HTTP POST request handler for the /boafrm/formSysLog endpoint. An authenticated attacker can exploit the 'submit-url' parameter to trigger a buffer overflow, achieving remote code execution with high confidentiality, integrity, and availability impact. The vulnerability has public exploit code available and represents an active threat to deployed devices.

Buffer Overflow TP-Link A3002r Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-6148 HIGH POC This Week

Critical remote buffer overflow vulnerability in TOTOLINK A3002RU firmware version 3.0.0-B20230809.1615 affecting the HTTP POST request handler for the /boafrm/formSysLog endpoint. An authenticated attacker can exploit this via manipulation of the submit-url parameter to achieve remote code execution with high confidentiality, integrity, and availability impact. The vulnerability has public exploit disclosure and represents an active threat to deployed devices.

Buffer Overflow TP-Link RCE A3002ru Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-6147 HIGH POC This Week

Critical buffer overflow vulnerability in TOTOLINK A702R router firmware (version 4.0.0-B20230721.1521) affecting the HTTP POST request handler for the /boafrm/formSysLog endpoint. An authenticated attacker can exploit this vulnerability remotely by manipulating the submit-url parameter to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit code is available, significantly elevating real-world exploitation risk.

Buffer Overflow TP-Link A702r Firmware TOTOLINK RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-6146 HIGH POC This Week

A buffer overflow vulnerability in A vulnerability (CVSS 8.8). Risk factors: public PoC available.

Buffer Overflow TP-Link X15 Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-6158 HIGH POC This Week

Critical stack-based buffer overflow vulnerability in the HTTP POST request handler (function sub_AC78) of D-Link DIR-665 firmware version 1.00, exploitable remotely by authenticated attackers. The vulnerability allows remote code execution with high confidentiality, integrity, and availability impact (CVSS 8.8). Public exploit code is available and the affected product line is no longer maintained by D-Link, significantly elevating real-world risk despite requiring low-privilege authentication.

Buffer Overflow D-Link RCE Dir 655 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-5349 HIGH POC PATCH CERT-EU This Week

Improper access control vulnerability in NetScaler ADC and NetScaler Gateway management interfaces that allows unauthenticated attackers on the adjacent network to gain high-impact unauthorized access (confidentiality, integrity, and availability compromise) without requiring user interaction. This is a critical flaw affecting widely-deployed Citrix infrastructure used by enterprises for application delivery and remote access, with high CVSS 8.8 score reflecting the severity of direct control plane compromise.

Citrix Information Disclosure Netscaler Gateway Netscaler Application Delivery Controller
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-6151 HIGH POC This Week

Buffer overflow vulnerability in TP-Link TL-WR940N V4 and TL-WR841N V11 routers, exploitable remotely through the /userRpm/WanSlaacCfgRpm.htm endpoint. An attacker with high privileges can trigger memory corruption leading to availability impact (denial of service) or potential system compromise. This vulnerability affects end-of-life products no longer receiving vendor support, significantly limiting remediation options.

Buffer Overflow TP-Link Tl Wr940n Firmware
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.5%
CVE-2025-49220 CRITICAL PATCH Act Now

Critical pre-authentication remote code execution vulnerability in Trend Micro Apex Central versions below 8.0.7007, caused by insecure deserialization in a specific method. The vulnerability allows unauthenticated remote attackers to execute arbitrary code with complete system compromise (confidentiality, integrity, and availability impact). With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this represents an immediately exploitable critical threat to exposed Apex Central installations.

Deserialization RCE Apex Central
NVD
CVSS 3.1
9.8
EPSS
7.0%
CVE-2025-49219 CRITICAL PATCH Act Now

Pre-authentication remote code execution vulnerability stemming from insecure deserialization in Trend Micro Apex Central versions below 8.0.7007. An unauthenticated attacker can exploit this vulnerability over the network with low complexity to achieve complete system compromise (confidentiality, integrity, and availability). This vulnerability is actively tracked by CISA as a known exploited vulnerability (KEV) with high CVSS 9.8 severity and carries significant real-world risk due to its network-accessible, authentication-bypass nature.

Deserialization RCE Trend Micro Authentication Bypass Apex Central
NVD
CVSS 3.1
9.8
EPSS
6.5%
CVE-2025-49213 CRITICAL PATCH Act Now

Critical pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization. An unauthenticated attacker can exploit this vulnerability over the network with no user interaction required to achieve complete system compromise (confidentiality, integrity, and availability impact). This vulnerability is actively being tracked and should be prioritized for immediate patching as it requires no privileges or complex attack conditions.

Deserialization RCE Trend Micro Authentication Bypass Trend Micro Endpoint Encryption
NVD
CVSS 3.1
9.8
EPSS
4.4%
CVE-2025-49212 CRITICAL PATCH Act Now

Pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization in an unnamed method. An unauthenticated attacker on the network can exploit this over the network without user interaction to achieve complete system compromise (confidentiality, integrity, and availability impact). This vulnerability is actively monitored and represents a critical threat requiring immediate patching.

Deserialization RCE Trend Micro Authentication Bypass Trend Micro Endpoint Encryption
NVD
CVSS 3.1
9.8
EPSS
4.4%
CVE-2024-40570 MEDIUM POC This Month

SQL Injection vulnerability in SeaCMS v.12.9 allows a remote attacker to obtain sensitive information via the admin_datarelate.php component.

PHP SQLi Seacms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-6152 MEDIUM POC PATCH This Month

A vulnerability, which was classified as critical, was found in Steel Browser up to 0.1.3. This affects the function handleFileUpload of the file api/src/modules/files/files.routes.ts. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The patch is named 7ba93a10000fb77ee01731478ef40551a27bd5b9. It is recommended to apply a patch to fix this issue.

Path Traversal Browser
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2025-49217 CRITICAL PATCH Act Now

Pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization. Attackers can exploit this vulnerability over the network without authentication to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability impact). This is a critical, actively exploitable vulnerability affecting Trend Micro Endpoint Encryption deployments; similar to CVE-2025-49213 but in a different vulnerable method, indicating a pattern of insecure deserialization issues in the same product.

Deserialization RCE Trend Micro Authentication Bypass Trend Micro Endpoint Encryption
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2025-49149 MEDIUM POC This Month

Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. Attackers can use website vulnerabilities to inject malicious script code into web pages. This may result in a cross-site scripting (XSS) attack when a user browses these web pages. At time of posting, there is no known patched version.

XSS Dify
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-49071 CRITICAL PATCH Act Now

Critical unrestricted file upload vulnerability in NasaTheme Flozen that allows unauthenticated remote attackers to upload and execute web shells on affected servers. This vulnerability affects all versions of Flozen and carries a CVSS score of 10.0 with no authentication or user interaction required. If actively exploited (KEV status pending verification), attackers can achieve complete system compromise including confidentiality breach, integrity violation, and availability disruption.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-49447 CRITICAL Act Now

Remote arbitrary file upload in FW Food Menu WordPress plugin through version 6.0.0 allows unauthenticated attackers to upload executable files without restriction, leading to complete server compromise. The CVSS 10.0 Critical rating reflects network-accessible unauthenticated exploitation with scope change, enabling full system control. EPSS probability is low (0.10%, 29th percentile) indicating limited observed exploitation activity, though no public exploit identified at time of analysis. Patchstack-reported vulnerability affects installations using this restaurant menu management plugin.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-49444 CRITICAL Act Now

Critical unrestricted file upload vulnerability in merkulove Reformer for Elementor (versions through 1.0.5) that allows unauthenticated attackers to upload arbitrary files, including web shells, to affected servers. With a perfect CVSS 10.0 score and network-accessible attack vector requiring no privileges or user interaction, this vulnerability enables complete remote code execution and server compromise. Given the prevalence of Elementor in WordPress ecosystems and the trivial exploitation requirements, this represents an immediate and severe threat to all unpatched installations.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-32510 CRITICAL Act Now

CVE-2025-32510 is an unrestricted file upload vulnerability in Ovatheme Events Manager versions up to 1.8.4 that allows unauthenticated attackers to upload malicious files, achieving remote code execution and complete system compromise. With a perfect CVSS 10.0 score, network-accessible attack vector, and no authentication required, this vulnerability poses critical risk to all exposed installations. Exploitation is trivial and requires only HTTP requests.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-47559 CRITICAL Act Now

CVE-2025-47559 is an unrestricted file upload vulnerability in RomanCode MapSVG that allows authenticated users to upload and execute arbitrary web shells on affected servers. The vulnerability impacts MapSVG versions through 8.5.32, enabling attackers with valid login credentials to achieve complete system compromise (confidentiality, integrity, and availability). With a CVSS score of 9.9 and active exploitation risk indicated by the low attack complexity and widespread impact potential, this represents a critical threat to MapSVG deployments.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-47452 CRITICAL Act Now

Critical unrestricted file upload vulnerability in RexTheme WP VR plugin (versions through 8.5.26) that allows authenticated users with low privileges to upload and execute arbitrary web shells on affected WordPress servers. With a CVSS score of 9.9 and network-based attack vector requiring only low privileges, this vulnerability poses an immediate threat to WordPress installations using the affected plugin and likely has active exploitation potential given the ease of weaponization.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-49330 CRITICAL Act Now

A deserialization vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-31919 CRITICAL Act Now

PHP object injection in Spare WordPress theme versions up to 1.7 enables remote unauthenticated attackers to execute arbitrary code through deserialization of untrusted data. The CVSS 9.8 critical rating reflects network-accessible exploitation requiring no authentication or user interaction, with complete system compromise possible. EPSS score of 0.14% (34th percentile) suggests low observed exploitation probability despite critical severity, and no CISA KEV listing confirms no widespread active exploitation detected. Patchstack vulnerability database identifies this as a PHP object injection vulnerability in the WordPress theme marketplace.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-30618 CRITICAL Act Now

Critical deserialization of untrusted data vulnerability in the yuliaz Rapyd Payment Extension for WooCommerce (versions through 1.2.0) that allows unauthenticated remote attackers to perform object injection attacks. The vulnerability has a CVSS score of 9.8 with network-accessible attack vector and no authentication required, meaning any internet-connected attacker can exploit this without user interaction. If actively exploited or proof-of-concept code is available, this represents an immediate risk to all unpatched WooCommerce installations using this payment plugin.

Deserialization WordPress
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49216 CRITICAL PATCH Act Now

Critical authentication bypass vulnerability in Trend Micro Endpoint Encryption PolicyServer that allows unauthenticated remote attackers to gain administrative access and modify product configurations without valid credentials. The vulnerability has a CVSS 9.8 score indicating severe impact (confidentiality, integrity, and availability compromised), and represents a complete authentication control failure requiring immediate patching.

Authentication Bypass Trend Micro Privilege Escalation Trend Micro Endpoint Encryption
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-6020 HIGH PATCH CISA Act Now

A privilege escalation vulnerability in A flaw (CVSS 7.8). High severity vulnerability requiring prompt remediation.

Path Traversal
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-6161 MEDIUM POC This Month

A remote code execution vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP File Upload Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6160 MEDIUM POC This Month

A critical SQL injection vulnerability exists in SourceCodester Client Database Management System version 1.0 affecting the /user_customer_create_order.php file, where the user_id parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public disclosure and proof-of-concept availability elevate exploitation risk, though the CVSS 7.3 rating indicates moderate real-world impact rather than critical severity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6159 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects Hostel Management System version 1.0, specifically in the /allocate_room.php file's 'search_box' parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, and system disruption. The vulnerability has been publicly disclosed with proof-of-concept code available, making it actively exploitable in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6157 MEDIUM POC This Month

Critical SQL injection vulnerability in PHPGurukul Nipah Virus Testing Management System version 1.0, located in the /registered-user-testing.php file where the 'testtype' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk in production environments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6155 MEDIUM POC This Month

Critical SQL injection vulnerability in PHPGurukul Hostel Management System 1.0 affecting the login functionality (/includes/login-hm.inc.php). An unauthenticated attacker can manipulate the Username parameter to execute arbitrary SQL queries remotely, potentially compromising data confidentiality, integrity, and availability. Public exploit disclosure and active exploitation potential significantly elevate real-world risk despite a moderate CVSS score of 7.3.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6154 MEDIUM POC This Month

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6153 MEDIUM POC This Month

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6167 MEDIUM POC PATCH This Month

A vulnerability classified as critical has been found in themanojdesai python-a2a up to 0.5.5. Affected is the function create_workflow of the file python_a2a/agent_flow/server/api.py. The manipulation leads to path traversal. Upgrading to version 0.5.6 is able to address this issue. It is recommended to upgrade the affected component.

Python Path Traversal Python A2a
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-6196 MEDIUM POC PATCH This Month

A flaw was found in libgepub, a library used to read EPUB files. The software mishandles file size calculations when opening specially crafted EPUB files, leading to incorrect memory allocations. This issue causes the application to crash. Known affected usage includes desktop services like Tumbler, which may process malicious files automatically when browsing directories. While no direct remote attack vectors are confirmed, any application using libgepub to parse user-supplied EPUB content could be vulnerable to a denial of service.

Denial Of Service Integer Overflow Ubuntu Debian Libgepub +2
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-49214 HIGH PATCH This Week

Post-authentication insecure deserialization vulnerability in Trend Micro Endpoint Encryption PolicyServer that allows remote code execution with high impact on confidentiality, integrity, and availability. While the CVSS score of 8.8 is significant, exploitation requires prior low-privileged code execution on the target system, substantially reducing real-world attack surface compared to unauthenticated network exploits. The vulnerability affects Trend Micro Endpoint Encryption installations and should be prioritized based on organizational exposure to this specific product line and internal threat modeling of low-privileged account compromise scenarios.

Deserialization RCE Trend Micro Privilege Escalation Trend Micro Endpoint Encryption
NVD
CVSS 3.1
8.8
EPSS
2.7%
CVE-2025-49452 CRITICAL Act Now

Critical SQL injection vulnerability in Adrian Ladó's PostaPanduri application (versions up to 2.1.3) that allows unauthenticated remote attackers to execute arbitrary SQL commands. The vulnerability has a CVSS score of 9.3 with network-based attack vector and no authentication required, enabling attackers to extract sensitive data from the database and potentially cause service disruption. Real-world exploitation risk is elevated due to the complete lack of authentication requirements and straightforward attack vector.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-47573 CRITICAL Act Now

Blind SQL injection in mojoomla School Management plugin for WordPress enables remote unauthenticated attackers to extract database contents and potentially cause service disruption. The vulnerability affects all versions up to and including 92.0.0, with public exploitation probability at 0.06% (EPSS percentile 18), indicating low observed exploitation attempts despite critical CVSS rating. Patchstack vulnerability database confirms the flaw but patch status remains unverified from available references.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-39479 CRITICAL Act Now

Blind SQL injection in Smart Notification WordPress plugin through version 10.3 allows remote unauthenticated attackers to extract sensitive database information via specially crafted requests. The vulnerability carries a CVSS score of 9.3 due to network-based attack vector, no required authentication, and potential for cross-scope impact with high confidentiality breach. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability in the wild, and no active exploitation has been confirmed via CISA KEV at time of analysis. Patchstack vulnerability database serves as the primary disclosure source.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy