Skip to main content
CVE-2025-1562 CRITICAL POC PATCH THREAT Act Now

The FunnelKit plugin for WordPress (versions ≤3.5.3) contains a critical vulnerability allowing unauthenticated attackers to install arbitrary plugins due to missing capability checks and weak nonce validation in the install_or_activate_addon_plugins() function. This is a pre-authentication remote code execution vector with a CVSS 9.8 severity rating that enables complete site compromise through malicious plugin installation.

WordPress Authentication Bypass PHP RCE Funnelkit Automations
NVD
CVSS 3.1
9.8
EPSS
16.1%
CVE-2025-26199 CRITICAL POC Act Now

A remote code execution vulnerability in CloudClassroom-PHP-Project v1.0 (CVSS 9.8). Risk factors: public PoC available.

RCE PHP Information Disclosure Authentication Bypass Cloudclassroom Php Project
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2025-46157 CRITICAL POC Act Now

Critical remote code execution vulnerability in EfroTech Time Trax v1.0 that exploits improper file upload validation in the leave request form's attachment functionality. An authenticated attacker with low privileges can upload and execute arbitrary code on the server, achieving complete system compromise with high confidentiality, integrity, and availability impact. The vulnerability is classified as actively exploitable (CVSS 9.9) and represents an immediate threat to all deployed instances.

RCE Timetrax File Upload
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-26198 CRITICAL POC Act Now

CloudClassroom-PHP-Project v1.0 contains a critical SQL injection vulnerability in the loginlinkadmin.php component that allows unauthenticated attackers to bypass authentication and gain unauthorized administrative access by injecting malicious SQL payloads into the username field. With a CVSS score of 9.8 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability poses immediate and severe risk to all deployments. While specific KEV status and EPSS data were not provided in the intelligence sources, the combination of complete authentication bypass capability, high CVSS score, and trivial exploitation complexity suggests this is actively exploitable and likely to be targeted by opportunistic attackers.

PHP SQLi Authentication Bypass Information Disclosure Cloudclassroom Php Project
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-45784 CRITICAL POC Act Now

D-Link DPH-400S/SE VoIP phones running firmware v1.01 contain hardcoded provisioning credentials (PROVIS_USER_PASSWORD) embedded directly in the firmware binary, allowing attackers with firmware access to extract sensitive authentication material via static analysis tools. This critical vulnerability (CVSS 9.8) enables unauthorized access to device management functions and potentially user accounts, with network-accessible exploitation possible if combined with firmware extraction techniques.

D-Link Information Disclosure Dph 400se Firmware Dph 400s Firmware
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-49591 CRITICAL POC PATCH Act Now

CryptPad versions prior to 2025.3.0 contain a critical authentication bypass vulnerability that allows attackers to circumvent Two-Factor Authentication (2FA) enforcement through a trivial path parameter manipulation. An attacker who obtains valid user credentials can bypass 2FA protection by URL-encoding a single character in the access path, gaining full account access without the second authentication factor. The vulnerability has a CVSS score of 9.1 (Critical) and requires no special privileges or user interaction to exploit.

Authentication Bypass Cryptpad
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-20260 CRITICAL PATCH Act Now

A remote code execution vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

Buffer Overflow RCE Denial Of Service Clamav Suse
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-51381 CRITICAL Act Now

CVE-2025-51381 is an authentication bypass vulnerability in KCM3100 version 1.4.2 and earlier that allows unauthenticated attackers on the local network (LAN) to completely bypass product authentication and gain full system access. The vulnerability has a critical CVSS score of 9.8 with no authentication or user interaction required, enabling attackers to achieve complete confidentiality, integrity, and availability compromise of affected devices.

Authentication Bypass
NVD
CVSS 3.0
9.8
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy