Critical remote authentication bypass vulnerability affecting Teleport Community Edition versions 17.5.1 and earlier, allowing unauthenticated attackers to completely compromise authentication mechanisms over the network without any user interaction. With a CVSS score of 9.8 and no available open-source patch at disclosure, this vulnerability represents an immediate threat to all affected Teleport deployments, enabling full system compromise including confidentiality, integrity, and availability violations.
Critical pre-authentication remote code execution vulnerability in Trend Micro Apex Central versions below 8.0.7007, caused by insecure deserialization in a specific method. The vulnerability allows unauthenticated remote attackers to execute arbitrary code with complete system compromise (confidentiality, integrity, and availability impact). With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this represents an immediately exploitable critical threat to exposed Apex Central installations.
Pre-authentication remote code execution vulnerability stemming from insecure deserialization in Trend Micro Apex Central versions below 8.0.7007. An unauthenticated attacker can exploit this vulnerability over the network with low complexity to achieve complete system compromise (confidentiality, integrity, and availability). This vulnerability is actively tracked by CISA as a known exploited vulnerability (KEV) with high CVSS 9.8 severity and carries significant real-world risk due to its network-accessible, authentication-bypass nature.
Critical pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization. An unauthenticated attacker can exploit this vulnerability over the network with no user interaction required to achieve complete system compromise (confidentiality, integrity, and availability impact). This vulnerability is actively being tracked and should be prioritized for immediate patching as it requires no privileges or complex attack conditions.
Pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization in an unnamed method. An unauthenticated attacker on the network can exploit this over the network without user interaction to achieve complete system compromise (confidentiality, integrity, and availability impact). This vulnerability is actively monitored and represents a critical threat requiring immediate patching.
Pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization. Attackers can exploit this vulnerability over the network without authentication to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability impact). This is a critical, actively exploitable vulnerability affecting Trend Micro Endpoint Encryption deployments; similar to CVE-2025-49213 but in a different vulnerable method, indicating a pattern of insecure deserialization issues in the same product.
Critical unrestricted file upload vulnerability in NasaTheme Flozen that allows unauthenticated remote attackers to upload and execute web shells on affected servers. This vulnerability affects all versions of Flozen and carries a CVSS score of 10.0 with no authentication or user interaction required. If actively exploited (KEV status pending verification), attackers can achieve complete system compromise including confidentiality breach, integrity violation, and availability disruption.
Remote arbitrary file upload in FW Food Menu WordPress plugin through version 6.0.0 allows unauthenticated attackers to upload executable files without restriction, leading to complete server compromise. The CVSS 10.0 Critical rating reflects network-accessible unauthenticated exploitation with scope change, enabling full system control. EPSS probability is low (0.10%, 29th percentile) indicating limited observed exploitation activity, though no public exploit identified at time of analysis. Patchstack-reported vulnerability affects installations using this restaurant menu management plugin.
Critical unrestricted file upload vulnerability in merkulove Reformer for Elementor (versions through 1.0.5) that allows unauthenticated attackers to upload arbitrary files, including web shells, to affected servers. With a perfect CVSS 10.0 score and network-accessible attack vector requiring no privileges or user interaction, this vulnerability enables complete remote code execution and server compromise. Given the prevalence of Elementor in WordPress ecosystems and the trivial exploitation requirements, this represents an immediate and severe threat to all unpatched installations.
CVE-2025-32510 is an unrestricted file upload vulnerability in Ovatheme Events Manager versions up to 1.8.4 that allows unauthenticated attackers to upload malicious files, achieving remote code execution and complete system compromise. With a perfect CVSS 10.0 score, network-accessible attack vector, and no authentication required, this vulnerability poses critical risk to all exposed installations. Exploitation is trivial and requires only HTTP requests.
CVE-2025-47559 is an unrestricted file upload vulnerability in RomanCode MapSVG that allows authenticated users to upload and execute arbitrary web shells on affected servers. The vulnerability impacts MapSVG versions through 8.5.32, enabling attackers with valid login credentials to achieve complete system compromise (confidentiality, integrity, and availability). With a CVSS score of 9.9 and active exploitation risk indicated by the low attack complexity and widespread impact potential, this represents a critical threat to MapSVG deployments.
Critical unrestricted file upload vulnerability in RexTheme WP VR plugin (versions through 8.5.26) that allows authenticated users with low privileges to upload and execute arbitrary web shells on affected WordPress servers. With a CVSS score of 9.9 and network-based attack vector requiring only low privileges, this vulnerability poses an immediate threat to WordPress installations using the affected plugin and likely has active exploitation potential given the ease of weaponization.
A deserialization vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
PHP object injection in Spare WordPress theme versions up to 1.7 enables remote unauthenticated attackers to execute arbitrary code through deserialization of untrusted data. The CVSS 9.8 critical rating reflects network-accessible exploitation requiring no authentication or user interaction, with complete system compromise possible. EPSS score of 0.14% (34th percentile) suggests low observed exploitation probability despite critical severity, and no CISA KEV listing confirms no widespread active exploitation detected. Patchstack vulnerability database identifies this as a PHP object injection vulnerability in the WordPress theme marketplace.
Critical deserialization of untrusted data vulnerability in the yuliaz Rapyd Payment Extension for WooCommerce (versions through 1.2.0) that allows unauthenticated remote attackers to perform object injection attacks. The vulnerability has a CVSS score of 9.8 with network-accessible attack vector and no authentication required, meaning any internet-connected attacker can exploit this without user interaction. If actively exploited or proof-of-concept code is available, this represents an immediate risk to all unpatched WooCommerce installations using this payment plugin.
Critical authentication bypass vulnerability in Trend Micro Endpoint Encryption PolicyServer that allows unauthenticated remote attackers to gain administrative access and modify product configurations without valid credentials. The vulnerability has a CVSS 9.8 score indicating severe impact (confidentiality, integrity, and availability compromised), and represents a complete authentication control failure requiring immediate patching.
Critical SQL injection vulnerability in Adrian Ladó's PostaPanduri application (versions up to 2.1.3) that allows unauthenticated remote attackers to execute arbitrary SQL commands. The vulnerability has a CVSS score of 9.3 with network-based attack vector and no authentication required, enabling attackers to extract sensitive data from the database and potentially cause service disruption. Real-world exploitation risk is elevated due to the complete lack of authentication requirements and straightforward attack vector.
Blind SQL injection in mojoomla School Management plugin for WordPress enables remote unauthenticated attackers to extract database contents and potentially cause service disruption. The vulnerability affects all versions up to and including 92.0.0, with public exploitation probability at 0.06% (EPSS percentile 18), indicating low observed exploitation attempts despite critical CVSS rating. Patchstack vulnerability database confirms the flaw but patch status remains unverified from available references.
Blind SQL injection in Smart Notification WordPress plugin through version 10.3 allows remote unauthenticated attackers to extract sensitive database information via specially crafted requests. The vulnerability carries a CVSS score of 9.3 due to network-based attack vector, no required authentication, and potential for cross-scope impact with high confidentiality breach. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability in the wild, and no active exploitation has been confirmed via CISA KEV at time of analysis. Patchstack vulnerability database serves as the primary disclosure source.
Critical SQL injection vulnerability in the WPCRM plugin (versions up to 3.2.0) for WordPress, affecting deployments integrating Contact Form 7 and WooCommerce. An unauthenticated remote attacker can execute arbitrary SQL commands with high confidence (CVSS 9.3, EPSS score likely elevated) to extract sensitive customer relationship and transaction data, though direct data modification and system availability impacts are limited. Immediate patching is strongly recommended for all affected installations.
A SQL injection vulnerability in wpjobportal WP Job Portal allows Blind SQL Injection (CVSS 9.3). Critical severity with potential for significant impact on affected systems.
Critical privilege escalation vulnerability in FreeIPA that allows authenticated users with high privileges to create Kerberos services with the same canonical name (krbCanonicalName) as the realm administrator, enabling them to obtain administrative credentials. The vulnerability affects FreeIPA default configurations where uniqueness validation is not enforced, allowing attackers to retrieve Kerberos tickets with admin@REALM credentials and perform unrestricted administrative operations. With a CVSS 9.1 score and network-accessible attack vector, this represents a severe threat to FreeIPA-based identity infrastructures, particularly in environments where service creation permissions are delegated or insufficiently restricted.