Skip to main content
CVE-2025-25034 CRITICAL POC PATCH THREAT Act Now

SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 contain a PHP object injection vulnerability via the SugarRestSerialize.php script. The rest_data parameter is passed to unserialize() without validation, allowing unauthenticated attackers to inject malicious PHP objects for remote code execution.

Deserialization PHP RCE
NVD Exploit-DB GitHub
CVSS 4.0
9.3
EPSS
73.5%
Threat
5.6
CVE-2025-25038 CRITICAL POC THREAT Emergency

MiniDVBLinux version 5.4 and earlier contains an unauthenticated OS command injection in the web-based management interface. The DVB streaming platform fails to sanitize user input before passing it to operating system commands, enabling remote attackers to execute arbitrary commands on the media server.

Command Injection Minidvblinux
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
17.7%
Threat
4.0
CVE-2025-49132 CRITICAL POC PATCH THREAT Act Now

Pterodactyl game server management panel prior to version 1.11.11 contains an unauthenticated remote code execution via the /locales/locale.json endpoint. By manipulating the locale and namespace query parameters, attackers can execute arbitrary code on the panel server, gaining control over all managed game servers.

RCE
NVD GitHub Exploit-DB
CVSS 3.1
10.0
EPSS
12.2%
CVE-2025-45890 CRITICAL POC Act Now

CVE-2025-45890 is a critical directory traversal vulnerability in Novel Plus before v5.1.0 that allows unauthenticated remote attackers to execute arbitrary code by manipulating the filePath parameter. The vulnerability has a CVSS score of 9.8 (critical severity) with a network-based attack vector requiring no privileges or user interaction. Given the critical CVSS metrics and remote code execution capability, this vulnerability poses an immediate and severe risk to all unpatched Novel Plus installations and warrants emergency patching.

RCE Path Traversal Novel Plus
NVD GitHub
CVSS 3.1
9.8
EPSS
4.0%
CVE-2025-34030 CRITICAL POC Act Now

CVE-2025-34030 is a critical OS command injection vulnerability in sar2html versions 3.2.2 and earlier that allows unauthenticated remote attackers to execute arbitrary shell commands through unsanitized input in the 'plot' parameter of index.php. The vulnerability has a perfect CVSS score of 10.0 and requires no authentication, user interaction, or special privileges to exploit. Active exploitation was observed by the Shadowserver Foundation as of February 4, 2025, indicating this is not a theoretical threat.

PHP Command Injection
NVD GitHub Exploit-DB
CVSS 4.0
10.0
EPSS
2.0%
CVE-2025-32877 CRITICAL POC Act Now

CVE-2025-32877 is a security vulnerability (CVSS 9.8) that allows attackers. Risk factors: public PoC available.

Information Disclosure Coros Pace 3 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-46179 CRITICAL POC Act Now

CVE-2025-46179 is a critical SQL injection vulnerability in CloudClassroom-PHP Project v1.0's askquery.php file, where the 'squeryx' parameter is passed directly into SQL queries without sanitization. This affects all installations of CloudClassroom-PHP v1.0 and allows unauthenticated remote attackers to execute arbitrary SQL commands, potentially leading to complete database compromise including data exfiltration, modification, and denial of service. The vulnerability has a CVSS 9.8 score reflecting its network-based exploitability with no authentication or user interaction required; active exploitation status and POC availability are unknown from the provided data.

PHP SQLi Cloudclassroom Php Project
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-32878 CRITICAL POC Act Now

CVE-2025-32878 is a security vulnerability (CVSS 9.8). Risk factors: public PoC available.

Information Disclosure Coros Pace 3 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-32880 CRITICAL POC Act Now

COROS PACE 3 smartwatches through firmware version 3.0808.0 download firmware updates over unencrypted HTTP connections when connected to WLAN, enabling attackers to intercept, modify, or inject malicious firmware without authentication. This critical vulnerability (CVSS 9.8) affects all users of the PACE 3 device and could result in complete device compromise, data exfiltration, or persistent malware installation. No active exploitation in the wild has been confirmed at this time, but the trivial attack complexity and network accessibility make this a high-priority patch target.

Information Disclosure Coros Pace 3 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-25037 CRITICAL POC Act Now

CVE-2025-25037 is a critical authentication bypass vulnerability in Aquatronica Controller System that exposes an unauthenticated tcp.php endpoint, allowing remote attackers to retrieve plaintext administrative credentials and sensitive system configuration data without authentication. Affected versions include firmware ≤5.1.6 and web interface ≤2.0. Successful exploitation enables complete system compromise, including unauthorized control of connected aquarium devices and manipulation of critical parameters, representing a direct path to full administrative access with no user interaction required.

PHP Information Disclosure
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
1.2%
CVE-2025-34022 CRITICAL POC Act Now

CVE-2025-34022 is an unauthenticated path traversal vulnerability in Selea Targa IP OCR-ANPR cameras affecting at least 9 models (iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, Targa 704 ILB). The /common/get_file.php script fails to validate the 'file' parameter, allowing remote attackers to read arbitrary files including system credentials in cleartext. Active exploitation was confirmed by Shadowserver Foundation on 2025-02-02 UTC, indicating this is not theoretical-it is actively weaponized in the wild.

PHP Authentication Bypass Path Traversal Information Disclosure
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2025-48706 CRITICAL POC Act Now

A remote code execution vulnerability in COROS PACE 3 (CVSS 9.1). Risk factors: public PoC available.

Buffer Overflow Coros Pace 3 Firmware
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-4981 CRITICAL PATCH Act Now

A remote code execution vulnerability (CVSS 9.9) that allows authenticated users. Critical severity with potential for significant impact on affected systems.

RCE Path Traversal Mattermost Server Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
0.6%
CVE-2025-44635 CRITICAL Act Now

CVE-2025-44635 is a security vulnerability (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-53298 CRITICAL Act Now

CVE-2024-53298 is a critical missing authorization vulnerability in Dell PowerScale OneFS NFS export functionality that allows unauthenticated remote attackers to gain unauthorized filesystem access without authentication. Affected versions range from 9.5.0.0 through 9.10.0.1, and successful exploitation enables arbitrary file read, modification, and deletion, leading to complete system compromise. With a CVSS score of 9.8 and network-based attack vector requiring no privileges or user interaction, this vulnerability poses severe risk to unpatched Dell PowerScale deployments; KEV status and active exploitation details require vendor advisory verification.

Authentication Bypass Dell Powerscale Onefs
NVD
CVSS 3.1
9.8
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy