Skip to main content
CVE-2025-49157 HIGH PATCH This Week

Privilege escalation vulnerability in Trend Micro Apex One's Damage Cleanup Engine that exploits improper link following (CWE-269), allowing local attackers with low-privilege code execution to escalate to higher privileges. The vulnerability requires initial code execution on the target system but presents significant risk due to its high CVSS score (7.8) and likely real-world exploitability given the common prevalence of local code execution vectors in enterprise environments.

Privilege Escalation Trend Micro Apex One
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-49384 HIGH PATCH This Week

Local privilege escalation vulnerability in Trend Micro Security 17.8 (Consumer) that exploits improper link following (symlink/junction attack) to allow a low-privileged local attacker to delete privileged Trend Micro system files without user interaction. This vulnerability carries a CVSS 7.8 high severity rating due to high impact on confidentiality, integrity, and availability; however, real-world exploitability depends on KEV status, EPSS probability data, and proof-of-concept availability, which are not provided in the available intelligence.

Privilege Escalation Trend Micro Path Traversal Maximum Security 2022
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-0320 HIGH PATCH This Week

Local privilege escalation vulnerability in Citrix Secure Access Client for Windows that allows an authenticated, low-privileged user to escalate their privileges to SYSTEM level without user interaction. The vulnerability affects the Citrix Secure Access Client application on Windows systems and represents a critical threat to enterprise environments where this client is deployed, as successful exploitation grants complete system control. The CVSS 7.8 score and confirmed local attack vector indicate this is a material risk for any organization using this software, though exploitation requires prior local access to an affected system.

Privilege Escalation Citrix Windows Secure Access Client
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-41413 HIGH This Week

Fuji Electric Smart Editor contains an out-of-bounds write vulnerability (CWE-787) that allows local attackers with user-level privileges to execute arbitrary code by crafting malicious input files. The vulnerability affects Smart Editor with a CVSS score of 7.8 (high severity), requiring user interaction (opening a malicious file) but no elevated privileges. Without confirmed KEV, EPSS, or public POC data in the provided intelligence, the real-world exploitation likelihood should be assessed as moderate-to-high given the local attack vector and file-based interaction model typical of engineering software.

Buffer Overflow RCE
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-41388 HIGH This Week

Stack-based buffer overflow vulnerability in Fuji Electric Smart Editor that allows unauthenticated local attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability requires user interaction (opening a malicious file) but does not require elevated privileges. While the CVSS score of 7.8 reflects high severity, real-world risk depends on KEV status, EPSS score, and public exploit availability, which are not provided in the source data.

Buffer Overflow RCE
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-32412 HIGH This Week

CVE-2025-32412 is an out-of-bounds read vulnerability in Fuji Electric Smart Editor that permits arbitrary code execution through a local attack vector requiring user interaction. The vulnerability affects Fuji Electric Smart Editor across affected versions and is classified as high-severity with a CVSS score of 7.8. While no KEV or active exploitation is confirmed in the provided data, the local attack vector combined with user interaction requirement and high impact (confidentiality, integrity, availability) makes this a significant concern for organizations using this industrial automation software.

Buffer Overflow RCE
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-4879 HIGH PATCH This Week

Local privilege escalation vulnerability in Citrix Workspace app for Windows that allows low-privileged users to gain SYSTEM-level privileges through an improper privilege management flaw (CWE-269). The vulnerability has a CVSS score of 7.8 (High) with low attack complexity and no user interaction required, making it a significant local threat. Status of KEV inclusion, active exploitation, and proof-of-concept availability cannot be confirmed from provided data, but the combination of high CVSS and local attack vector suggests meaningful real-world risk for organizations running Citrix Workspace on Windows endpoints.

Privilege Escalation Citrix Windows Workspace
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-49218 HIGH PATCH This Week

Post-authentication SQL injection vulnerability in Trend Micro Endpoint Encryption PolicyServer that allows low-privileged authenticated users to escalate privileges through SQL injection attacks. The vulnerability has a CVSS score of 7.7 (high severity) with significant impact on confidentiality, integrity, and availability. While this is a post-auth vulnerability requiring initial low-privileged code execution, successful exploitation enables privilege escalation, making it a critical concern for organizations running affected PolicyServer instances.

SQLi Trend Micro Privilege Escalation Trend Micro Endpoint Encryption
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-49211 HIGH PATCH This Week

SQL injection vulnerability in Trend Micro Endpoint Encryption PolicyServer that enables privilege escalation on affected systems. The vulnerability requires an attacker to first obtain low-privileged code execution on the target system, after which SQL injection can be leveraged to escalate privileges and gain high-impact access (confidentiality compromise, integrity violation, availability disruption). With a CVSS score of 7.7 and local attack vector, this poses a significant risk to organizations running vulnerable PolicyServer instances, particularly in multi-user environments or where low-privileged service accounts are present.

SQLi Trend Micro Privilege Escalation Trend Micro Endpoint Encryption
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-47865 HIGH PATCH This Week

Local File Inclusion (LFI) vulnerability in Trend Micro Apex Central widgets that enables remote code execution (RCE) on affected systems. This vulnerability affects Trend Micro Apex Central installations below version 8.0.6955 and requires an authenticated attacker with low privileges to exploit. The vulnerability combines LFI with RCE capabilities, representing a significant threat to organizations using vulnerable Apex Central deployments.

RCE Trend Micro LFI Apex Central
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2025-47867 HIGH PATCH This Week

Local File Inclusion (LFI) vulnerability in Trend Micro Apex Central widgets (versions below 8.0.6955) that allows authenticated attackers to include and execute arbitrary PHP files, achieving remote code execution on affected systems. The vulnerability requires low-level user authentication and moderate attack complexity but carries high impact across confidentiality, integrity, and availability. Active exploitation status and proof-of-concept availability have not been confirmed from the provided data, but the authentication requirement and network accessibility make this a credible threat to deployed Apex Central instances.

PHP RCE Trend Micro LFI Apex Central
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2025-49854 HIGH This Week

SQL Injection vulnerability in Anh Tran Slim SEO plugin (versions through 4.5.4) that allows high-privileged attackers to execute arbitrary SQL commands, potentially leading to data exfiltration and service disruption. The vulnerability requires administrator-level privileges to exploit, significantly limiting its real-world impact compared to unauthenticated SQL injection attacks. While the CVSS score of 7.6 indicates moderate-to-high severity, the privilege requirement (PR:H) substantially reduces the practical threat landscape.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-28972 HIGH This Week

Blind SQL Injection vulnerability in Suhas Surse WP Employee Attendance System affecting versions through 3.5, allowing authenticated attackers with high privileges to extract sensitive database information. While the CVSS score of 7.6 indicates moderate-to-high severity, the attack requires administrator-level credentials and the confidentiality impact is high; however, integrity and availability impacts are limited. No current KEV designation or widespread public POC availability has been reported, though the vulnerability's nature as SQL injection makes exploitation theoretically straightforward for skilled attackers.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-4365 HIGH PATCH This Week

CVE-2025-4365 is an arbitrary file read vulnerability affecting Citrix NetScaler Console and NetScaler SDX (SVM) that allows unauthenticated remote attackers to read sensitive files from affected systems. The vulnerability has a CVSS score of 7.5 (high severity) with a network-accessible attack vector requiring no authentication or user interaction. While specific KEV and EPSS data were not provided in the intelligence sources, the combination of high CVSS, unauthenticated access, and file disclosure capability indicates this requires prompt remediation.

Citrix Information Disclosure Path Traversal Netscaler Console Netscaler Sdx
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-47572 HIGH This Week

A security vulnerability in mojoomla School Management allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-32549 HIGH This Week

A security vulnerability in mojoomla WPGYM allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-49451 HIGH This Week

A Path Traversal vulnerability (CWE-35) exists in the Aeroscroll Gallery WordPress plugin (versions through 1.0.12) that allows unauthenticated remote attackers to access arbitrary files on the server, potentially exposing sensitive configuration files, database credentials, and other confidential data. The vulnerability has a CVSS score of 7.5 (High) with network accessibility and no authentication required, making it a significant information disclosure risk for all installations of affected versions.

Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-33122 HIGH This Week

A privilege escalation vulnerability (CVSS 7.5) that allows a user. High severity vulnerability requiring prompt remediation.

IBM Privilege Escalation
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-49176 HIGH PATCH This Week

CVE-2025-49176 is an integer overflow vulnerability in the X11 Big Requests extension that allows local attackers with low privileges to bypass request size validation by triggering a multiplication-based integer wrap-around, enabling denial of service or potential code execution through oversized X protocol requests. The vulnerability affects X11 server implementations that use the Big Requests extension; while not currently listed in CISA KEV catalog, the 7.3 CVSS score and local attack vector indicate moderate-to-high real-world risk for multi-user systems. No public POC or active exploitation has been confirmed at time of analysis.

Integer Overflow Buffer Overflow
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-49179 HIGH PATCH This Week

CVE-2025-49179 is an integer overflow vulnerability in the X Record extension's RecordSanityCheckRegisterClients function that allows authenticated local users to bypass request length validation checks. This flaw enables privilege escalation and potential code execution on affected X11 systems. With a CVSS score of 7.3 and requiring local access with low privileges, this poses a moderate-to-high risk for multi-user systems; exploitation status and POC availability have not been confirmed in public disclosures as of analysis time.

Buffer Overflow Integer Overflow
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-3774 HIGH This Week

The Wise Chat WordPress plugin versions up to 3.3.4 contains a Stored Cross-Site Scripting (XSS) vulnerability in the X-Forwarded-For header processing that allows unauthenticated attackers to inject malicious scripts without authentication or user interaction. When vulnerable pages are accessed by site visitors, the injected scripts execute in their browsers, potentially enabling credential theft, session hijacking, or malware distribution. This vulnerability has a CVSS score of 7.2 (High) and affects all publicly-facing WordPress installations running the affected plugin versions.

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-49331 HIGH This Week

Deserialization of untrusted data vulnerability in impleCode eCommerce Product Catalog versions up to 3.4.3 that allows authenticated attackers with high privileges to perform object injection attacks. The vulnerability enables remote code execution or unauthorized data manipulation through malicious serialized objects. While the CVSS score of 7.2 is moderate-to-high, the requirement for high privileges (PR:H) significantly limits real-world exploitability; however, this should not be underestimated in multi-tenant or insider threat scenarios.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-30680 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central SaaS that allows authenticated attackers to manipulate parameters and disclose sensitive information from affected installations. The vulnerability affects only the SaaS deployment model of Apex Central; SaaS customers receiving automatic monthly maintenance updates are not impacted. While no public exploit or KEV status is indicated, the CVSS 7.1 score and information disclosure capability present moderate risk for organizations with manual SaaS deployments or on-premises installations.

Information Disclosure SSRF Trend Micro Apex Central
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-49316 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in the Saleswonder Team Tobias WP2LEADS WordPress plugin (versions up to 3.5.0) that allows unauthenticated attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector requiring user interaction, and while KEV/active exploitation status and POC availability are not explicitly confirmed in provided data, the low attack complexity and reflected nature suggest moderate real-world risk.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49312 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in the CodeRevolution Echo RSS Feed Post Generator Plugin for WordPress affecting versions through 5.4.8.1. An unauthenticated attacker can inject malicious scripts into web pages viewed by users with no special privileges required, potentially leading to session hijacking, credential theft, or malware distribution. The CVSS 7.1 score reflects the moderate severity with network attack vector and user interaction requirement.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49266 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in Rustaurius Ultimate Reviews WordPress plugin versions up to 3.2.14, allowing unauthenticated attackers to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (clicking a malicious link) but can compromise session tokens, steal sensitive data, or perform actions on behalf of affected users. While this is a network-accessible, low-complexity attack with moderate CVSS score (7.1), reflected XSS vulnerabilities are commonly exploited and proof-of-concept code is typically straightforward to develop.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48333 HIGH PATCH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in WPQuark's eForm WordPress Form Builder plugin that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the eForm plugin across unspecified version ranges and can be exploited with user interaction to compromise confidentiality, integrity, and availability. No active KEV designation or confirmed POC availability is documented, but the network-accessible nature and low attack complexity present moderate real-world exploitation risk.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48145 HIGH This Week

A cross-site scripting vulnerability in Michal Jaworski Track (CVSS 7.1). High severity vulnerability requiring prompt remediation.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-39508 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in NasaTheme Nasa Core versions up to 6.3.2 that allows unauthenticated attackers to inject arbitrary JavaScript code into web pages viewed by other users. The vulnerability affects the Nasa Core component through improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of users, or distribute malware. With a CVSS score of 7.1 and low attack complexity, this vulnerability poses a moderate-to-high risk to affected installations, particularly if the affected theme is actively deployed in production environments.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30988 HIGH This Week

Stored Cross-Site Scripting (XSS) vulnerability in CreativeMedia Elite Video Player versions up to 10.0.5 that allows unauthenticated attackers to inject and persist malicious scripts through the web page generation process. An attacker can craft a malicious input that gets stored in the application and executed in the browsers of other users who view the affected page, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (UI:R) but has a network attack vector with no authentication required, making it a moderate-to-high priority threat depending on deployment context.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49156 HIGH PATCH This Week

Privilege escalation vulnerability in Trend Micro Apex One's scan engine that exploits improper link handling to allow local attackers to escalate privileges. The vulnerability affects Trend Micro Apex One installations and requires an attacker to first obtain low-privileged code execution on the target system. While no active exploitation in the wild has been confirmed at this time, the CVSS score of 7.0 indicates a high-severity local privilege escalation risk for organizations running vulnerable versions.

Privilege Escalation Trend Micro Apex One
NVD
CVSS 3.1
7.0
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy