Skip to main content
CVE-2025-50201 CRITICAL POC PATCH THREAT Act Now

Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prior to 3.4.2, affecting the /html/configuracao/debug_info.php endpoint. An unauthenticated attacker can inject arbitrary operating system commands via the unsanitized 'branch' parameter, achieving remote code execution (RCE) with www-data user privileges. With a CVSS score of 9.8 and network-based attack vector requiring no authentication or user interaction, this represents an immediate and severe threat to all unpatched WeGIA deployments.

PHP Command Injection Wegia
NVD GitHub
CVSS 3.1
9.8
EPSS
30.1%
Threat
4.4
CVE-2025-52474 CRITICAL POC PATCH Act Now

Critical SQL Injection vulnerability in WeGIA (a web-based management system for charitable institutions) affecting the 'id' parameter of the /WeGIA/controle/control.php endpoint in versions prior to 3.4.2. This unauthenticated, network-accessible vulnerability enables attackers to execute arbitrary SQL queries without privileges or user interaction, resulting in complete compromise of database confidentiality, integrity, and availability. The CVSS 9.8 score reflects the severe impact potential; however, KEV status, EPSS probability, and public POC availability could not be confirmed from provided data and should be verified through CISA and exploit databases.

PHP SQLi Information Disclosure Wegia
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-45208 CRITICAL Act Now

Critical remote code execution vulnerability in Versa Director SD-WAN orchestration platform affecting the Cisco NCS application service bound to TCP ports 4566 and 4570. An unauthenticated network attacker can exploit weak HA authentication mechanisms to gain unauthorized administrative access and execute arbitrary code with CVSS 9.8 severity. While no active exploitation has been confirmed, third-party proof-of-concept code has been publicly disclosed, significantly elevating real-world risk.

Microsoft RCE Cisco
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2025-24288 CRITICAL Act Now

Critical authentication bypass vulnerability in Versa Director that exposes multiple services (SSH, PostgreSQL, and others) with default credentials on internet-facing deployments. The vulnerability affects Versa Director installations where default passwords remain unchanged, allowing unauthenticated remote attackers to gain complete system compromise (confidentiality, integrity, and availability impact). While no confirmed exploitation has been reported, proof-of-concept code has been publicly disclosed by security researchers, and the CVSS 9.8 score reflects the severity of unrestricted remote access with default credentials.

PostgreSQL Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-4738 CRITICAL PATCH Act Now

Critical SQL Injection vulnerability in Yirmibes Software MY ERP versions before 1.170 that allows unauthenticated remote attackers to execute arbitrary SQL commands with complete compromise of data confidentiality, integrity, and availability. The vulnerability has a maximum CVSS score of 9.8 (Critical) with zero authentication or user interaction required, making it immediately exploitable over the network. Without access to current KEV/CISA inclusion data or EPSS scores, the high CVSS vector combined with the trivial attack complexity (AC:L) and network accessibility (AV:N) strongly indicates this represents a severe, actively exploitable threat requiring immediate patching.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-50200 MEDIUM POC PATCH This Month

RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in plaintext encoded in base64. When querying RabbitMQ api with HTTP/s with basic authentication it creates logs with all headers in request, including authorization headers which show base64 encoded username:password. This is easy to decode and afterwards could be used to obtain control to the system depending on credentials. This issue has been patched in version 4.0.8.

Information Disclosure Ubuntu Debian Rabbitmq Server Red Hat +1
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-50181 MEDIUM POC PATCH This Month

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.

Python Open Redirect SSRF Ubuntu Debian +3
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-6384 CRITICAL PATCH Act Now

Critical Remote Code Execution vulnerability in CrafterCMS Crafter Studio that allows authenticated developers to bypass Groovy Sandbox restrictions and execute arbitrary OS commands through malicious Groovy code injection. This affects CrafterCMS versions 4.0.0 through 4.2.2, and while it requires high-privilege authentication (developer role), the ability to achieve RCE with high-impact consequences (confidentiality, integrity, and availability compromise across system boundaries) makes this a severe issue worthy of immediate patching.

RCE Craftercms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-52467 CRITICAL PATCH Act Now

pgai, a Python library for PostgreSQL-based RAG and agentic applications, contains a secrets exfiltration vulnerability (CVE-2025-52467) that allows unauthenticated remote attackers to extract all workflow secrets, including GITHUB_TOKEN credentials with repository write permissions. This vulnerability has a CVSS score of 9.1 (Critical) and affects pgai versions prior to commit 8eb3567; a patch is available and the vulnerability is not currently listed in CISA KEV, though the high CVSS and direct credential exposure indicate substantial real-world risk if the library is deployed in CI/CD environments.

Python Information Disclosure RCE Github
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-33117 CRITICAL Act Now

IBM QRadar SIEM versions 7.5 through 7.5.0 Update Package 12 contains a privilege escalation vulnerability that allows authenticated administrative users to modify configuration files and upload malicious autoupdate packages, leading to arbitrary command execution with system-level privileges. This is a high-severity vulnerability (CVSS 9.1) affecting SIEM infrastructure; while it requires high privileges (PR:H), the network-accessible attack vector (AV:N) and lack of user interaction (UI:N) make it a significant risk in multi-user enterprise environments where administrative credentials may be compromised or misused.

IBM Privilege Escalation RCE Qradar Security Information And Event Manager
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-23121 HIGH PATCH CERT-EU This Week

Remote code execution vulnerability in Backup Server that allows authenticated domain users to execute arbitrary code with high severity (CVSS 8.8). The vulnerability requires valid domain credentials but no user interaction, making it a significant risk for organizations with Backup Server deployments in Active Directory environments. If actively exploited or with public POC availability, this represents an immediate priority for patching.

RCE Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-5071 HIGH PATCH This Week

The AI Engine WordPress plugin (versions 2.8.0-2.8.3) contains a missing capability check in the 'Meow_MWAI_Labs_MCP::can_access_mcp' function, allowing authenticated subscribers and above to access the Model Context Protocol (MCP) interface and execute arbitrary WordPress administrative commands. This enables privilege escalation, unauthorized user creation/modification, and data destruction through post and comment manipulation. The vulnerability has a CVSS score of 8.8 (High) and poses immediate risk to any WordPress installation running affected versions with user registration enabled.

WordPress Privilege Escalation PHP Ai Engine
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-52464 HIGH PATCH This Week

A remote code execution vulnerability in versions from 2.5.0 to (CVSS 8.3). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Information Disclosure IoT Meshtastic Firmware
NVD GitHub
CVSS 3.1
8.3
EPSS
0.1%
CVE-2025-49763 HIGH PATCH This Week

The ESI (Edge Side Includes) plugin in Apache Traffic Server lacks enforcement of maximum inclusion depth limits, allowing attackers to craft malicious ESI instructions that trigger excessive recursive inclusions and cause denial-of-service through memory exhaustion. This vulnerability affects Apache Traffic Server versions 9.0.0-9.2.10 and 10.0.0-10.0.5, with a CVSS score of 7.5 indicating high availability impact. The vulnerability is remotely exploitable without authentication and can be mitigated by upgrading to patched versions (9.2.11 or 10.0.6) or configuring the new --max-inclusion-depth setting.

Apache Denial Of Service Traffic Server Red Hat
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-23173 HIGH This Week

Network-accessible remote code execution vulnerability in Versa Director SD-WAN orchestration platform where the websockify service on port 6080 is exposed by default to the internet, allowing unauthenticated attackers to exploit known websockify weaknesses for potential code execution. Versa Networks confirms no active exploitation has been observed, but third-party proof-of-concept has been publicly disclosed. The vulnerability affects Versa Director deployments with default configurations and represents a critical supply-chain risk for SD-WAN infrastructure.

RCE
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-31698 HIGH PATCH This Week

CVE-2025-31698 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Apache Authentication Bypass Traffic Server Red Hat
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-6283 LOW POC PATCH Monitor

A vulnerability was found in xataio Xata Agent up to 0.3.0. It has been classified as problematic. This affects the function GET of the file apps/dbagent/src/app/api/evals/route.ts. The manipulation of the argument passed leads to path traversal. Upgrading to version 0.3.1 is able to address this issue. The patch is named 03f27055e0cf5d4fa7e874d34ce8c74c7b9086cc. It is recommended to upgrade the affected component.

Path Traversal
NVD GitHub VulDB
CVSS 3.1
3.5
EPSS
0.1%
CVE-2025-23172 HIGH This Week

CVE-2025-23172 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in Versa Director SD-WAN orchestration platform that allows authenticated users with high privileges to abuse the Webhook feature to send crafted HTTP requests to localhost endpoints. This can be exploited to execute arbitrary commands on behalf of the 'versa' user who holds sudo privileges, resulting in potential remote code execution and privilege escalation. While no active exploitation has been reported in the wild, a proof-of-concept has been publicly disclosed, presenting an elevated risk for organizations running vulnerable Versa Director instances.

RCE Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2025-23171 HIGH This Week

CVE-2025-23171 is an insecure file upload vulnerability in Versa Director SD-WAN orchestration platform that allows authenticated attackers with high privileges to upload malicious files (including webshells) despite UI restrictions, due to improper file upload permission validation. The vulnerability affects Versa Director and carries a CVSS score of 7.2 (High); while no active exploitation has been reported, proof-of-concept code has been publicly disclosed by third-party researchers, creating moderate real-world risk for organizations running affected versions.

File Upload
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-24286 HIGH PATCH This Week

Privilege escalation vulnerability in backup management systems that permits authenticated users with the Backup Operator role to modify backup job configurations and execute arbitrary code with system privileges. The vulnerability affects backup software implementations that fail to properly validate backup job modifications; attackers must possess valid Backup Operator credentials but face no additional complexity once authenticated. This vulnerability is not currently listed in CISA's KEV catalog, but the high CVSS score of 7.2 and code execution capability indicate significant risk to organizations managing sensitive backup infrastructure.

RCE Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-33121 HIGH This Week

IBM QRadar SIEM versions 7.5 through 7.5.0 Update Package 12 contain an XML External Entity (XXE) injection vulnerability that allows authenticated remote attackers to extract sensitive information or trigger denial-of-service conditions through memory exhaustion. The vulnerability requires valid credentials (CVSS PR:L) but has a high confidentiality impact (C:H) and affects a critical security infrastructure product. No publicly available evidence of active exploitation or public POCs has been confirmed at this time.

XXE IBM Information Disclosure Denial Of Service Qradar Security Information And Event Manager
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-6019 HIGH PATCH This Week

Local privilege escalation vulnerability in libblockdev that allows an unprivileged user with Polkit 'allow_active' permissions to escalate to root privileges by crafting a malicious XFS filesystem image and exploiting udisks' mounting behavior. The vulnerability affects users with active session permissions on systems running vulnerable libblockdev versions, enabling complete system compromise through execution of SUID-root binaries embedded in specially crafted disk images. While carrying a moderate CVSS score of 7.0, the attack requires local access and user interaction with filesystem resizing operations, limiting real-world exploitation scope.

Privilege Escalation
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-23170 MEDIUM This Month

The Versa Director SD-WAN orchestration platform includes functionality to initiate SSH sessions to remote CPEs and the Director shell via Shell-In-A-Box. The underlying Python script, shell-connect.py, is vulnerable to command injection through the user argument. This allows an attacker to execute arbitrary commands on the system. Exploitation Status: Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers. Workarounds or Mitigation: There are no workarounds to disable the GUI option. Versa recommends that Director be upgraded to one of the remediated software versions.

Python Command Injection
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-32896 MEDIUM PATCH This Month

Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.

Apache Deserialization Authentication Bypass Seatunnel
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-50183 MEDIUM PATCH This Month

OpenList Frontend is a UI component for OpenList. Prior to version 4.0.0-rc.4, a vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in <script> tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability. This issue has been patched in version 4.0.0-rc.4.

XSS
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-24916 MEDIUM This Month

Untrusted DLLs in the installer's directory may be loaded and executed, leading to potentially arbitrary code execution with the installer's privileges (admin).

RCE Smartconsole
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-6201 MEDIUM This Month

The Pixel Manager for WooCommerce - Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Google PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-5234 MEDIUM PATCH This Month

The Gutenverse News plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘elementId’ parameter in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Gutenverse News PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-4479 MEDIUM PATCH This Month

The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin image comparison widget's before/after labels in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Elementskit Elementor Addons PHP Elementor
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-4367 MEDIUM PATCH This Month

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Download Manager PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-4965 MEDIUM This Month

The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Grid Builder feature in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Page Builder PHP WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-23168 MEDIUM This Month

The Versa Director SD-WAN orchestration platform implements Two-Factor Authentication (2FA) using One-Time Passcodes (OTP) delivered via email or SMS. Versa Director accepts untrusted user input when dispatching 2FA codes, allowing an attacker who knows a valid username and password to redirect the OTP delivery (SMS/email) to their own device. OTP/TOTP codes are not invalidated after use, enabling reuse by an attacker who has previously intercepted or obtained a valid code. In addition, the 2FA system does not adequately restrict the number or frequency of login attempts. The OTP values are generated from a relatively small keyspace, making brute-force attacks more feasible. Exploitation Status: Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers. Workarounds or Mitigation: Versa recommends that Director be upgraded to one of the remediated software versions.

Authentication Bypass Versa Director
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-6267 MEDIUM This Month

A vulnerability was found in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0. It has been rated as critical. This issue affects some unknown processing of the file /adpweb/a/base/barcodeDetail/. The manipulation of the argument barcodeNo/barcode/itemNo leads to sql injection. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.

SQLi Adp Application Developer Platform
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-36050 MEDIUM This Month

IBM QRadar SIEM 7.5 through 7.5.0 Update Package 12 stores potentially sensitive information in log files that could be read by a local user.

Information Disclosure IBM Qradar Security Information And Event Manager
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-6266 LOW POC Monitor

A vulnerability was detected in Teledyne FLIR AX8 up to 1.46. Affected by this vulnerability is an unknown functionality of the file /upload.php. Performing manipulation of the argument File results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading to version 1.49.16 addresses this issue. Upgrading the affected component is recommended. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities."

PHP Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6277 LOW POC Monitor

A vulnerability classified as critical has been found in Brilliance Golden Link Secondary System up to 20250609. This affects an unknown part of the file /storagework/custTakeInfoPage.htm. The manipulation of the argument custTradeName leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6276 LOW POC Monitor

A vulnerability was found in Brilliance Golden Link Secondary System up to 20250609. It has been rated as critical. Affected by this issue is some unknown functionality of the file /storagework/rentTakeInfoPage.htm. The manipulation of the argument custTradeName leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6284 LOW POC Monitor

A vulnerability was found in PHPGurukul Car Rental Portal 3.0. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CSRF
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-23169 MEDIUM This Month

The Versa Director SD-WAN orchestration platform allows customization of the user interface, including the header, footer, and logo. However, the input provided for these customizations is not properly validated or sanitized, allowing a malicious user to inject and store cross-site scripting (XSS) payloads. Exploitation Status: Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers. Workarounds or Mitigation: There are no workarounds to disable the GUI option. Versa recommends that Director be upgraded to one of the remediated software versions.

XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-24291 MEDIUM This Month

The Versa Director SD-WAN orchestration platform provides functionality to upload various types of files. However, the Java code handling file uploads contains an argument injection vulnerability. By appending additional arguments to the file name, an attacker can bypass MIME type validation, allowing the upload of arbitrary file types. This flaw can be exploited to place a malicious file on disk. Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers. There are no workarounds to disable the GUI option. Versa recommends that Director be upgraded to one of the remediated software versions.

Java RCE
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-24287 MEDIUM This Month

A vulnerability allowing local system users to modify directory contents, allowing for arbitrary code execution on the local system with elevated permissions.

RCE Code Injection
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-6282 LOW POC Monitor

A vulnerability was found in xlang-ai OpenAgents up to ff2e46440699af1324eb25655b622c4a131265bb and classified as critical. Affected by this issue is the function create_upload_file of the file backend/api/file.py. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The reported GitHub issue was closed automatically with the label "not planned" by a bot.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2025-6280 LOW POC Monitor

A vulnerability, which was classified as critical, was found in TransformerOptimus SuperAGI up to 0.0.14. Affected is the function download_attachment of the file SuperAGI/superagi/helper/read_email.py of the component EmailToolKit. The manipulation of the argument filename leads to path traversal. The exploit has been disclosed to the public and may be used.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2025-6278 LOW POC PATCH Monitor

A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2025-6279 LOW POC PATCH Monitor

A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/add_tool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used.

Deserialization
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-6275 LOW POC PATCH Monitor

A vulnerability was found in WebAssembly wabt up to 1.0.37. It has been declared as problematic. Affected by this vulnerability is the function GetFuncOffset of the file src/interp/binary-reader-interp.cc. The manipulation leads to use after free. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. A similar issue reported during the same timeframe was disputed by the code maintainer because it might not affect "real world wasm programs". Therefore, this entry might get disputed as well in the future.

Buffer Overflow Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2025-6274 LOW POC PATCH Monitor

A vulnerability was found in WebAssembly wabt up to 1.0.37. It has been classified as problematic. Affected is the function OnDataCount of the file src/interp/binary-reader-interp.cc. The manipulation leads to resource consumption. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. A similar issue reported during the same timeframe was disputed by the code maintainer because it might not affect "real world wasm programs". Therefore, this entry might get disputed as well in the future.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2025-6272 LOW POC Monitor

A vulnerability has been found in wasm3 0.5.0 and classified as problematic. This vulnerability affects the function MarkSlotAllocated of the file source/m3_compile.c. The manipulation leads to out-of-bounds write. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-6271 LOW POC PATCH Monitor

A vulnerability, which was classified as problematic, was found in swftools up to 0.9.2. This affects the function wav_convert2mono in the library lib/wav.c of the component wav2swf. The manipulation leads to out-of-bounds read. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-6270 LOW POC PATCH Monitor

A vulnerability, which was classified as critical, has been found in HDF5 up to 1.14.6. Affected by this issue is the function H5FS__sect_find_node of the file H5FSsection.c. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy