Skip to main content
CVE-2025-49825 CRITICAL POC PATCH THREAT Act Now

Critical remote authentication bypass vulnerability affecting Teleport Community Edition versions 17.5.1 and earlier, allowing unauthenticated attackers to completely compromise authentication mechanisms over the network without any user interaction. With a CVSS score of 9.8 and no available open-source patch at disclosure, this vulnerability represents an immediate threat to all affected Teleport deployments, enabling full system compromise including confidentiality, integrity, and availability violations.

Authentication Bypass Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
11.5%
CVE-2025-49220 CRITICAL PATCH Act Now

Critical pre-authentication remote code execution vulnerability in Trend Micro Apex Central versions below 8.0.7007, caused by insecure deserialization in a specific method. The vulnerability allows unauthenticated remote attackers to execute arbitrary code with complete system compromise (confidentiality, integrity, and availability impact). With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this represents an immediately exploitable critical threat to exposed Apex Central installations.

Deserialization RCE Apex Central
NVD
CVSS 3.1
9.8
EPSS
7.0%
CVE-2025-49219 CRITICAL PATCH Act Now

Pre-authentication remote code execution vulnerability stemming from insecure deserialization in Trend Micro Apex Central versions below 8.0.7007. An unauthenticated attacker can exploit this vulnerability over the network with low complexity to achieve complete system compromise (confidentiality, integrity, and availability). This vulnerability is actively tracked by CISA as a known exploited vulnerability (KEV) with high CVSS 9.8 severity and carries significant real-world risk due to its network-accessible, authentication-bypass nature.

Deserialization RCE Trend Micro Authentication Bypass Apex Central
NVD
CVSS 3.1
9.8
EPSS
6.5%
CVE-2025-49213 CRITICAL PATCH Act Now

Critical pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization. An unauthenticated attacker can exploit this vulnerability over the network with no user interaction required to achieve complete system compromise (confidentiality, integrity, and availability impact). This vulnerability is actively being tracked and should be prioritized for immediate patching as it requires no privileges or complex attack conditions.

Deserialization RCE Trend Micro Authentication Bypass Trend Micro Endpoint Encryption
NVD
CVSS 3.1
9.8
EPSS
4.4%
CVE-2025-49212 CRITICAL PATCH Act Now

Pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization in an unnamed method. An unauthenticated attacker on the network can exploit this over the network without user interaction to achieve complete system compromise (confidentiality, integrity, and availability impact). This vulnerability is actively monitored and represents a critical threat requiring immediate patching.

Deserialization RCE Trend Micro Authentication Bypass Trend Micro Endpoint Encryption
NVD
CVSS 3.1
9.8
EPSS
4.4%
CVE-2025-49217 CRITICAL PATCH Act Now

Pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization. Attackers can exploit this vulnerability over the network without authentication to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability impact). This is a critical, actively exploitable vulnerability affecting Trend Micro Endpoint Encryption deployments; similar to CVE-2025-49213 but in a different vulnerable method, indicating a pattern of insecure deserialization issues in the same product.

Deserialization RCE Trend Micro Authentication Bypass Trend Micro Endpoint Encryption
NVD
CVSS 3.1
9.8
EPSS
2.5%
CVE-2025-49071 CRITICAL PATCH Act Now

Critical unrestricted file upload vulnerability in NasaTheme Flozen that allows unauthenticated remote attackers to upload and execute web shells on affected servers. This vulnerability affects all versions of Flozen and carries a CVSS score of 10.0 with no authentication or user interaction required. If actively exploited (KEV status pending verification), attackers can achieve complete system compromise including confidentiality breach, integrity violation, and availability disruption.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-49447 CRITICAL Act Now

Remote arbitrary file upload in FW Food Menu WordPress plugin through version 6.0.0 allows unauthenticated attackers to upload executable files without restriction, leading to complete server compromise. The CVSS 10.0 Critical rating reflects network-accessible unauthenticated exploitation with scope change, enabling full system control. EPSS probability is low (0.10%, 29th percentile) indicating limited observed exploitation activity, though no public exploit identified at time of analysis. Patchstack-reported vulnerability affects installations using this restaurant menu management plugin.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-49444 CRITICAL Act Now

Critical unrestricted file upload vulnerability in merkulove Reformer for Elementor (versions through 1.0.5) that allows unauthenticated attackers to upload arbitrary files, including web shells, to affected servers. With a perfect CVSS 10.0 score and network-accessible attack vector requiring no privileges or user interaction, this vulnerability enables complete remote code execution and server compromise. Given the prevalence of Elementor in WordPress ecosystems and the trivial exploitation requirements, this represents an immediate and severe threat to all unpatched installations.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-32510 CRITICAL Act Now

CVE-2025-32510 is an unrestricted file upload vulnerability in Ovatheme Events Manager versions up to 1.8.4 that allows unauthenticated attackers to upload malicious files, achieving remote code execution and complete system compromise. With a perfect CVSS 10.0 score, network-accessible attack vector, and no authentication required, this vulnerability poses critical risk to all exposed installations. Exploitation is trivial and requires only HTTP requests.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-47559 CRITICAL Act Now

CVE-2025-47559 is an unrestricted file upload vulnerability in RomanCode MapSVG that allows authenticated users to upload and execute arbitrary web shells on affected servers. The vulnerability impacts MapSVG versions through 8.5.32, enabling attackers with valid login credentials to achieve complete system compromise (confidentiality, integrity, and availability). With a CVSS score of 9.9 and active exploitation risk indicated by the low attack complexity and widespread impact potential, this represents a critical threat to MapSVG deployments.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-47452 CRITICAL Act Now

Critical unrestricted file upload vulnerability in RexTheme WP VR plugin (versions through 8.5.26) that allows authenticated users with low privileges to upload and execute arbitrary web shells on affected WordPress servers. With a CVSS score of 9.9 and network-based attack vector requiring only low privileges, this vulnerability poses an immediate threat to WordPress installations using the affected plugin and likely has active exploitation potential given the ease of weaponization.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-49330 CRITICAL Act Now

A deserialization vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-31919 CRITICAL Act Now

PHP object injection in Spare WordPress theme versions up to 1.7 enables remote unauthenticated attackers to execute arbitrary code through deserialization of untrusted data. The CVSS 9.8 critical rating reflects network-accessible exploitation requiring no authentication or user interaction, with complete system compromise possible. EPSS score of 0.14% (34th percentile) suggests low observed exploitation probability despite critical severity, and no CISA KEV listing confirms no widespread active exploitation detected. Patchstack vulnerability database identifies this as a PHP object injection vulnerability in the WordPress theme marketplace.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-30618 CRITICAL Act Now

Critical deserialization of untrusted data vulnerability in the yuliaz Rapyd Payment Extension for WooCommerce (versions through 1.2.0) that allows unauthenticated remote attackers to perform object injection attacks. The vulnerability has a CVSS score of 9.8 with network-accessible attack vector and no authentication required, meaning any internet-connected attacker can exploit this without user interaction. If actively exploited or proof-of-concept code is available, this represents an immediate risk to all unpatched WooCommerce installations using this payment plugin.

Deserialization WordPress
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49216 CRITICAL PATCH Act Now

Critical authentication bypass vulnerability in Trend Micro Endpoint Encryption PolicyServer that allows unauthenticated remote attackers to gain administrative access and modify product configurations without valid credentials. The vulnerability has a CVSS 9.8 score indicating severe impact (confidentiality, integrity, and availability compromised), and represents a complete authentication control failure requiring immediate patching.

Authentication Bypass Trend Micro Privilege Escalation Trend Micro Endpoint Encryption
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49452 CRITICAL Act Now

Critical SQL injection vulnerability in Adrian Ladó's PostaPanduri application (versions up to 2.1.3) that allows unauthenticated remote attackers to execute arbitrary SQL commands. The vulnerability has a CVSS score of 9.3 with network-based attack vector and no authentication required, enabling attackers to extract sensitive data from the database and potentially cause service disruption. Real-world exploitation risk is elevated due to the complete lack of authentication requirements and straightforward attack vector.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-47573 CRITICAL Act Now

Blind SQL injection in mojoomla School Management plugin for WordPress enables remote unauthenticated attackers to extract database contents and potentially cause service disruption. The vulnerability affects all versions up to and including 92.0.0, with public exploitation probability at 0.06% (EPSS percentile 18), indicating low observed exploitation attempts despite critical CVSS rating. Patchstack vulnerability database confirms the flaw but patch status remains unverified from available references.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-39479 CRITICAL Act Now

Blind SQL injection in Smart Notification WordPress plugin through version 10.3 allows remote unauthenticated attackers to extract sensitive database information via specially crafted requests. The vulnerability carries a CVSS score of 9.3 due to network-based attack vector, no required authentication, and potential for cross-scope impact with high confidentiality breach. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability in the wild, and no active exploitation has been confirmed via CISA KEV at time of analysis. Patchstack vulnerability database serves as the primary disclosure source.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-24773 CRITICAL Act Now

Critical SQL injection vulnerability in the WPCRM plugin (versions up to 3.2.0) for WordPress, affecting deployments integrating Contact Form 7 and WooCommerce. An unauthenticated remote attacker can execute arbitrary SQL commands with high confidence (CVSS 9.3, EPSS score likely elevated) to extract sensitive customer relationship and transaction data, though direct data modification and system availability impacts are limited. Immediate patching is strongly recommended for all affected installations.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-48274 CRITICAL Act Now

A SQL injection vulnerability in wpjobportal WP Job Portal allows Blind SQL Injection (CVSS 9.3). Critical severity with potential for significant impact on affected systems.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-4404 CRITICAL PATCH Act Now

Critical privilege escalation vulnerability in FreeIPA that allows authenticated users with high privileges to create Kerberos services with the same canonical name (krbCanonicalName) as the realm administrator, enabling them to obtain administrative credentials. The vulnerability affects FreeIPA default configurations where uniqueness validation is not enforced, allowing attackers to retrieve Kerberos tickets with admin@REALM credentials and perform unrestricted administrative operations. With a CVSS 9.1 score and network-accessible attack vector, this represents a severe threat to FreeIPA-based identity infrastructures, particularly in environments where service creation permissions are delegated or insufficiently restricted.

Privilege Escalation Information Disclosure Canonical
NVD
CVSS 3.1
9.1
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy