Skip to main content
CVE-2025-25034 CRITICAL POC PATCH THREAT Act Now

SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 contain a PHP object injection vulnerability via the SugarRestSerialize.php script. The rest_data parameter is passed to unserialize() without validation, allowing unauthenticated attackers to inject malicious PHP objects for remote code execution.

Deserialization PHP RCE
NVD Exploit-DB GitHub
CVSS 4.0
9.3
EPSS
73.5%
Threat
5.6
CVE-2025-25038 CRITICAL POC THREAT Emergency

MiniDVBLinux version 5.4 and earlier contains an unauthenticated OS command injection in the web-based management interface. The DVB streaming platform fails to sanitize user input before passing it to operating system commands, enabling remote attackers to execute arbitrary commands on the media server.

Command Injection Minidvblinux
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
17.7%
Threat
4.0
CVE-2025-49132 CRITICAL POC PATCH THREAT Act Now

Pterodactyl game server management panel prior to version 1.11.11 contains an unauthenticated remote code execution via the /locales/locale.json endpoint. By manipulating the locale and namespace query parameters, attackers can execute arbitrary code on the panel server, gaining control over all managed game servers.

RCE
NVD GitHub Exploit-DB
CVSS 3.1
10.0
EPSS
12.2%
CVE-2025-45890 CRITICAL POC Act Now

CVE-2025-45890 is a critical directory traversal vulnerability in Novel Plus before v5.1.0 that allows unauthenticated remote attackers to execute arbitrary code by manipulating the filePath parameter. The vulnerability has a CVSS score of 9.8 (critical severity) with a network-based attack vector requiring no privileges or user interaction. Given the critical CVSS metrics and remote code execution capability, this vulnerability poses an immediate and severe risk to all unpatched Novel Plus installations and warrants emergency patching.

RCE Path Traversal Novel Plus
NVD GitHub
CVSS 3.1
9.8
EPSS
4.0%
CVE-2025-34030 CRITICAL POC Act Now

CVE-2025-34030 is a critical OS command injection vulnerability in sar2html versions 3.2.2 and earlier that allows unauthenticated remote attackers to execute arbitrary shell commands through unsanitized input in the 'plot' parameter of index.php. The vulnerability has a perfect CVSS score of 10.0 and requires no authentication, user interaction, or special privileges to exploit. Active exploitation was observed by the Shadowserver Foundation as of February 4, 2025, indicating this is not a theoretical threat.

PHP Command Injection
NVD GitHub Exploit-DB
CVSS 4.0
10.0
EPSS
2.0%
CVE-2025-32877 CRITICAL POC Act Now

CVE-2025-32877 is a security vulnerability (CVSS 9.8) that allows attackers. Risk factors: public PoC available.

Information Disclosure Coros Pace 3 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-46179 CRITICAL POC Act Now

CVE-2025-46179 is a critical SQL injection vulnerability in CloudClassroom-PHP Project v1.0's askquery.php file, where the 'squeryx' parameter is passed directly into SQL queries without sanitization. This affects all installations of CloudClassroom-PHP v1.0 and allows unauthenticated remote attackers to execute arbitrary SQL commands, potentially leading to complete database compromise including data exfiltration, modification, and denial of service. The vulnerability has a CVSS 9.8 score reflecting its network-based exploitability with no authentication or user interaction required; active exploitation status and POC availability are unknown from the provided data.

PHP SQLi Cloudclassroom Php Project
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-32878 CRITICAL POC Act Now

CVE-2025-32878 is a security vulnerability (CVSS 9.8). Risk factors: public PoC available.

Information Disclosure Coros Pace 3 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-32880 CRITICAL POC Act Now

COROS PACE 3 smartwatches through firmware version 3.0808.0 download firmware updates over unencrypted HTTP connections when connected to WLAN, enabling attackers to intercept, modify, or inject malicious firmware without authentication. This critical vulnerability (CVSS 9.8) affects all users of the PACE 3 device and could result in complete device compromise, data exfiltration, or persistent malware installation. No active exploitation in the wild has been confirmed at this time, but the trivial attack complexity and network accessibility make this a high-priority patch target.

Information Disclosure Coros Pace 3 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-25037 CRITICAL POC Act Now

CVE-2025-25037 is a critical authentication bypass vulnerability in Aquatronica Controller System that exposes an unauthenticated tcp.php endpoint, allowing remote attackers to retrieve plaintext administrative credentials and sensitive system configuration data without authentication. Affected versions include firmware ≤5.1.6 and web interface ≤2.0. Successful exploitation enables complete system compromise, including unauthorized control of connected aquarium devices and manipulation of critical parameters, representing a direct path to full administrative access with no user interaction required.

PHP Information Disclosure
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
1.2%
CVE-2025-34022 CRITICAL POC Act Now

CVE-2025-34022 is an unauthenticated path traversal vulnerability in Selea Targa IP OCR-ANPR cameras affecting at least 9 models (iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, Targa 704 ILB). The /common/get_file.php script fails to validate the 'file' parameter, allowing remote attackers to read arbitrary files including system credentials in cleartext. Active exploitation was confirmed by Shadowserver Foundation on 2025-02-02 UTC, indicating this is not theoretical-it is actively weaponized in the wild.

PHP Authentication Bypass Path Traversal Information Disclosure
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2025-34029 HIGH POC This Week

CVE-2025-34029 is an OS command injection vulnerability in Edimax EW-7438RPn Mini wireless router firmware version 1.13 and prior that allows authenticated remote attackers to execute arbitrary shell commands as root through the /goform/formSysCmd endpoint. The vulnerability has a CVSS score of 8.8 (High) and was observed being exploited in the wild by the Shadowserver Foundation on 2024-09-14 UTC, indicating active real-world attack activity against this widely-deployed consumer networking device.

Command Injection Ew 7438rpn Mini Firmware
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
2.1%
CVE-2025-48706 CRITICAL POC Act Now

A remote code execution vulnerability in COROS PACE 3 (CVSS 9.1). Risk factors: public PoC available.

Buffer Overflow Coros Pace 3 Firmware
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-34024 HIGH POC This Week

CVE-2025-34024 is an OS command injection vulnerability in Edimax EW-7438RPn wireless range extender firmware versions 1.13 and prior, allowing authenticated attackers to execute arbitrary commands as root via the /goform/mp endpoint. The vulnerability results from improper input validation on the 'command' parameter in the mp.asp form handler, enabling shell metacharacter injection. Active exploitation was observed by the Shadowserver Foundation on 2024-09-14 UTC, indicating real-world threat activity against this device.

Command Injection Ew 7438rpn Mini Firmware
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.8%
CVE-2025-6337 HIGH POC This Week

CVE-2025-6337 is a critical buffer overflow vulnerability in TOTOLINK A3002R and A3002RU routers affecting versions 3.0.0-B20230809.1615 and 4.0.0-B20230531.1404. An authenticated attacker can exploit the 'submit-url' parameter in the /boafrm/formTmultiAP HTTP POST handler to achieve remote code execution with complete system compromise (confidentiality, integrity, and availability). Public exploit code exists and the vulnerability is exploitable over the network with low complexity.

Buffer Overflow TP-Link A3002ru Firmware A3002r Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-6336 HIGH POC This Week

CVE-2025-6336 is a critical buffer overflow vulnerability in TOTOLINK EX1200T wireless router (version 4.1.2cu.5232_B20210713) affecting the HTTP POST request handler. An authenticated attacker can exploit improper input validation on the 'submit-url' parameter in the /boafrm/formTmultiAP endpoint to achieve remote code execution with full system compromise (confidentiality, integrity, and availability). Public exploit code is available and the vulnerability has been disclosed; exploitation requires valid credentials but no user interaction.

Buffer Overflow TP-Link RCE Ex1200t Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-34023 HIGH POC This Week

CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote authenticated attackers to read arbitrary files from the underlying system via unsanitized input to the /cgi-bin/cgiServer.exx endpoint's page parameter. This vulnerability affects IP phone administrators with network access to the management interface and carries a CVSS 8.5 score reflecting high confidentiality impact. Active exploitation evidence was documented by Shadowserver Foundation on 2025-02-02 UTC, indicating real-world attack activity.

Path Traversal Information Disclosure IoT
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
1.8%
CVE-2025-6302 HIGH POC This Week

CVE-2025-6302 is a critical stack-based buffer overflow vulnerability in TOTOLINK EX1200T router firmware version 4.1.2cu.5232_B20210713, specifically in the setStaticDhcpConfig function of /cgi-bin/cstecgi.cgi. An authenticated attacker can exploit this by sending a malicious Comment parameter to achieve remote code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit code has been disclosed, making this actively exploitable.

Buffer Overflow TP-Link Ex1200t Firmware TOTOLINK
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6292 HIGH POC This Week

CVE-2025-6292 is a critical stack-based buffer overflow vulnerability in D-Link DIR-825 routers (version 2.03 and potentially others) that allows authenticated attackers to execute arbitrary code remotely via malformed HTTP POST requests to the vulnerable HTTP POST Request Handler function. The vulnerability affects end-of-life products no longer receiving security updates from D-Link, and public exploit code has been disclosed, increasing real-world exploitation risk despite requiring valid credentials.

Buffer Overflow D-Link RCE Denial Of Service Dir 825 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6291 HIGH POC This Week

CVE-2025-6291 is a critical stack-based buffer overflow vulnerability in D-Link DIR-825 firmware version 2.03, exploitable via HTTP POST requests to the do_file function. An authenticated attacker can achieve complete system compromise (confidentiality, integrity, and availability violations) remotely without user interaction. Public exploit code exists and the affected product is end-of-life with no vendor support, elevating real-world risk despite authentication requirement.

Buffer Overflow D-Link RCE Dir 825 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6328 HIGH POC This Week

A critical stack-based buffer overflow vulnerability exists in D-Link DIR-815 firmware version 1.01 within the hedwig.cgi module (function sub_403794), allowing remote attackers with low privilege access to execute arbitrary code with high impact on confidentiality, integrity, and availability. Public exploit code is available and the vulnerability may be actively exploited in the wild, making this a high-priority remediation target.

Buffer Overflow D-Link RCE Dir 815 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6370 HIGH POC This Week

A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available.

Buffer Overflow D-Link RCE Dir 619l Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6369 HIGH POC This Week

CVE-2025-6369 is a critical stack-based buffer overflow vulnerability in D-Link DIR-619L v2.06B01 affecting the /goform/formdumpeasysetup endpoint. An authenticated remote attacker can exploit improper input validation of the curTime or config.save_network_enabled parameters to achieve remote code execution with high impact on confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the affected product is end-of-life with no vendor support available.

Buffer Overflow D-Link RCE Dir 619l Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6368 HIGH POC This Week

A critical stack-based buffer overflow vulnerability exists in D-Link DIR-619L firmware version 2.06B01, affecting the formSetEmail function via the curTime and config.smtp_email_subject parameters. An authenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability). Public exploit code has been disclosed, and the affected product is end-of-life with no vendor support available.

Buffer Overflow D-Link RCE Dir 619l Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6367 HIGH POC This Week

CVE-2025-6367 is a critical stack-based buffer overflow vulnerability in D-Link DIR-619L firmware version 2.06B01, affecting the /goform/formSetDomainFilter endpoint. An authenticated remote attacker can exploit improper input validation on the curTime, sched_name_%d, and url_%d parameters to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability). The vulnerability has public exploit disclosure and affects end-of-life hardware no longer receiving vendor support.

Buffer Overflow D-Link RCE Dir 619l Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6371 HIGH POC This Week

CVE-2025-6371 is a critical stack-based buffer overflow vulnerability in D-Link DIR-619L firmware version 2.06B01 affecting the formSetEnableWizard function. An authenticated remote attacker can exploit this vulnerability by manipulating the 'curTime' parameter to achieve remote code execution with high confidentiality, integrity, and availability impact (CVSS 8.8). Exploitation has been publicly disclosed with proof-of-concept available, and this vulnerability only affects end-of-life products no longer receiving vendor support.

Buffer Overflow D-Link Stack Overflow RCE Dir 619l Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-6372 HIGH POC This Week

A buffer overflow vulnerability (CVSS 8.8). Risk factors: public PoC available.

Buffer Overflow D-Link RCE Dir 619l Firmware
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-32879 HIGH POC This Week

CVE-2025-32879 is a security vulnerability (CVSS 8.8) that allows an attacker. Risk factors: public PoC available.

Authentication Bypass Bluetooth Information Disclosure Coros Pace 3 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-4994 HIGH POC PATCH This Week

CVE-2024-4994 is a Cross-Site Request Forgery (CSRF) vulnerability in GitLab's GraphQL API that allows unauthenticated attackers to execute arbitrary GraphQL mutations through a malicious website visited by authenticated GitLab users. This affects GitLab CE/EE versions 16.1.0-16.11.4, 17.0.0-17.0.2, and 17.1.0, with a CVSS score of 8.1 indicating high severity. The vulnerability requires user interaction (clicking a malicious link) but can result in unauthorized data manipulation or system compromise depending on the mutations executed.

CSRF Gitlab RCE
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-34021 HIGH POC This Week

CVE-2025-34021 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting multiple Selea Targa IP OCR-ANPR camera models that allows remote unauthenticated attackers to induce arbitrary HTTP requests through unvalidated JSON POST parameters (ipnotify_address and url). An attacker can bypass firewall policies, enumerate internal services, or redirect image fetch and DNS lookup operations to internal or external systems of their choosing. Active exploitation was confirmed by the Shadowserver Foundation on 2025-01-25, indicating real-world attack activity and operational risk.

SSRF
NVD Exploit-DB
CVSS 4.0
7.8
EPSS
0.1%
CVE-2025-45331 HIGH POC PATCH This Week

CVE-2025-45331 is a Null Pointer Dereference (NPD) vulnerability in brplot v420.69.1's br_dagens_handle_once function that causes denial of service through segmentation faults and program crashes. The vulnerability is remotely exploitable without authentication or user interaction (CVSS 7.5), making it a high-availability risk for any system processing brplot data. While KEV status and active exploitation data are not provided, the network-accessible attack vector and high availability impact suggest this warrants prioritization for patched deployments.

Denial Of Service Brplot
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48705 HIGH POC This Week

CVE-2025-48705 is a NULL pointer dereference vulnerability in COROS PACE 3 smartwatch (versions 3.0 through 3.0808.0) that allows unauthenticated remote attackers to trigger a device reboot by sending a specially crafted Bluetooth Low Energy (BLE) message. The vulnerability results in denial of service with no additional privileges required, affecting the availability of the device. Given the CVSS 7.5 score and remote/network attack vector over BLE, this poses a significant nuisance risk to users, though impact is limited to device unavailability rather than data compromise.

Denial Of Service Coros Pace 3 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-6364 HIGH POC This Week

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi Simple Pizza Ordering System
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-6363 HIGH POC This Week

CVE-2025-6363 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /adding-exec.php file where the 'ingname' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database records. With a CVSS score of 7.3 and network-based attack vector requiring no user interaction, this vulnerability poses significant risk to affected deployments, though real-world exploitation likelihood depends on whether POC code and active exploitation attempts are documented.

PHP SQLi Simple Pizza Ordering System RCE
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-6362 HIGH POC This Week

CVE-2025-6362 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /editpro.php file where the ID parameter is improperly validated. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or system compromise. The vulnerability has a CVSS score of 7.3 (High) and requires no user interaction or authentication, making it a significant risk for deployments of this application.

PHP SQLi Simple Pizza Ordering System
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-6361 HIGH POC This Week

CVE-2025-6361 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /adds.php file's userid parameter. An unauthenticated remote attacker can exploit this vulnerability without user interaction to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the application database. The vulnerability has a CVSS score of 7.3 (High) and represents an immediate risk to any organization running this unpatched system in production.

PHP SQLi Simple Pizza Ordering System
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-32876 MEDIUM POC This Month

An issue was discovered on COROS PACE 3 devices through 3.0808.0. The BLE implementation of the COROS smartwatch does not support LE Secure Connections and instead enforces BLE Legacy Pairing. In BLE Legacy Pairing, the Short-Term Key (STK) can be easily guessed. This requires knowledge of the Temporary Key (TK), which, in the case of the COROS Pace 3, is set to 0 due to the Just Works pairing method. An attacker within Bluetooth range can therefore perform sniffing attacks, allowing eavesdropping on the communication.

Authentication Bypass Coros Pace 3 Firmware
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-46158 MEDIUM POC PATCH This Month

An issue in redoxOS kernel before commit 5d41cd7c allows a local attacker to cause a denial of service via the `setitimer` syscall

Denial Of Service Redox
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-4981 CRITICAL PATCH Act Now

A remote code execution vulnerability (CVSS 9.9) that allows authenticated users. Critical severity with potential for significant impact on affected systems.

RCE Path Traversal Mattermost Server Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
0.6%
CVE-2025-44635 CRITICAL Act Now

CVE-2025-44635 is a security vulnerability (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53298 CRITICAL Act Now

CVE-2024-53298 is a critical missing authorization vulnerability in Dell PowerScale OneFS NFS export functionality that allows unauthenticated remote attackers to gain unauthorized filesystem access without authentication. Affected versions range from 9.5.0.0 through 9.10.0.1, and successful exploitation enables arbitrary file read, modification, and deletion, leading to complete system compromise. With a CVSS score of 9.8 and network-based attack vector requiring no privileges or user interaction, this vulnerability poses severe risk to unpatched Dell PowerScale deployments; KEV status and active exploitation details require vendor advisory verification.

Authentication Bypass Dell Powerscale Onefs
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-6365 MEDIUM POC This Month

A vulnerability was found in HobbesOSR Kitten up to c4f8b7c3158983d1020af432be1b417b28686736 and classified as critical. Affected by this issue is the function set_pte_at in the library /include/arch-arm64/pgtable.h. The manipulation leads to resource consumption. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

Denial Of Service Kitten
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.1%
CVE-2025-6264 MEDIUM POC PATCH This Month

Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.  To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration. This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).

Privilege Escalation Velociraptor Suse
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-6311 MEDIUM POC This Month

CVE-2025-6311 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0 affecting the /pages/account_add.php endpoint. Unauthenticated remote attackers can manipulate the 'id' or 'amount' parameters to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit disclosure and demonstrates active exploitation risk with a CVSS score of 7.3 indicating medium-to-high severity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6355 MEDIUM POC This Month

CVE-2025-6355 is a critical SQL injection vulnerability in SourceCodester Online Hotel Reservation System version 1.0, specifically in the /admin/execeditroom.php file where the 'userid' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or denial of service. Public disclosure and proof-of-concept availability significantly elevate real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6339 MEDIUM POC This Month

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6314 MEDIUM POC This Month

CVE-2025-6314 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System 1.0, specifically in the /pages/cat_update.php file's ID parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete database contents. The vulnerability has a publicly disclosed exploit (POC available), making it an active threat with immediate exploitation risk; the CVSS 7.3 score reflects moderate-to-high severity with network-based attack capability and no authentication required.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6313 MEDIUM POC This Month

CVE-2025-6313 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0, affecting the /pages/cat_add.php endpoint where the 'Category' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available and may be actively exploited in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6312 MEDIUM POC This Month

CVE-2025-6312 is a critical SQL injection vulnerability in Campcodes Sales and Inventory System version 1.0, specifically in the /pages/cash_transaction.php file where the 'cid' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploitation details available, making it actively exploitable in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6360 MEDIUM POC This Month

CVE-2025-6360 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /portal.php file's ID parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy