ACT NOW CVE-2025-52488 8.6 DNN (DotNetNuke) CMS versions 6.0.0 through 10.0.0 contain a vulnerability that can expose NTLM hashes to a third-party SMB server. Through a specially crafted series of interactions, an attacker can force the DNN server to authenticate to an attacker-controlled SMB server, capturing NTLM credential hashes for offline cracking. | ACT NOW CVE-2025-6218 7.8 WinRAR contains a directory traversal vulnerability (CVE-2025-6218, CVSS 7.8) enabling remote code execution when users extract crafted archives. KEV-listed with EPSS 4.7% and public PoC, this vulnerability allows archive files to write outside the extraction directory, placing malicious files in startup folders or other sensitive locations. Given WinRAR's 500+ million user base, this is a high-impact social engineering vector. | EMERGENCY CVE-2025-6216 9.8 Allegra project tracking software contains an authentication bypass in the password recovery token generation. Unauthenticated remote attackers can calculate the token expiration date and generate valid password reset tokens, allowing them to reset any user's password including administrators. | EMERGENCY CVE-2025-25038 9.8 MiniDVBLinux version 5.4 and earlier contains an unauthenticated OS command injection in the web-based management interface. The DVB streaming platform fails to sanitize user input before passing it to operating system commands, enabling remote attackers to execute arbitrary commands on the media server. | EMERGENCY CVE-2025-25034 9.3 SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 contain a PHP object injection vulnerability via the SugarRestSerialize.php script. The rest_data parameter is passed to unserialize() without validation, allowing unauthenticated attackers to inject malicious PHP objects for remote code execution. | EMERGENCY CVE-2025-49132 10.0 Pterodactyl game server management panel prior to version 1.11.11 contains an unauthenticated remote code execution via the /locales/locale.json endpoint. By manipulating the locale and namespace query parameters, attackers can execute arbitrary code on the panel server, gaining control over all managed game servers. | ACT NOW CVE-2025-50201 9.8 Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prior to 3.4.2, affecting the /html/configuracao/debug_info.php endpoint. An unauthenticated attacker can inject arbitrary operating system commands via the unsanitized 'branch' parameter, achieving remote code execution (RCE) with www-data user privileges. With a CVSS score of 9.8 and network-based attack vector requiring no authentication or user interaction, this represents an immediate and severe threat to all unpatched WeGIA deployments. | ACT NOW CVE-2025-34511 8.8 Sitecore PowerShell Extensions through version 7.0 allows authenticated users to upload arbitrary files including ASPX webshells via crafted HTTP requests. The unrestricted file upload bypasses content type restrictions, enabling remote code execution on the Sitecore IIS server with any authenticated account. | ACT NOW CVE-2025-34510 8.8 Sitecore Experience Manager, Platform, and Commerce versions 9.0 through 10.4 contain a Zip Slip vulnerability that allows authenticated attackers to write arbitrary files outside the intended upload directory. By crafting ZIP archives with path traversal entries, attackers can overwrite application files and achieve remote code execution. | ACT NOW CVE-2025-34509 7.5 Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 through 10.4.1 contain a hardcoded administrative user account that allows unauthenticated remote attackers to gain unauthorized access to sensitive administrative APIs over HTTP without authentication. This vulnerability has a CVSS score of 7.5 (High) and enables confidentiality breach through direct API access; exploitation likelihood is high due to the low attack complexity and lack of authentication requirements. | ACT NOW CVE-2025-5777 7.5 Citrix NetScaler ADC and Gateway contain an input validation vulnerability (CVE-2025-5777, CVSS 7.5) leading to memory overread when configured as VPN or AAA virtual server. KEV-listed with EPSS 69.8% and public PoC, this vulnerability enables remote unauthenticated attackers to read sensitive data from the appliance's memory, potentially exposing session tokens, credentials, and encryption keys — similar to the Heartbleed class of memory disclosure bugs. | ACT NOW CVE-2025-6095 7.3 A SQL injection vulnerability (CVSS 7.3). Risk factors: EPSS 28% exploitation probability, public PoC available. | EMERGENCY CVE-2025-45985 9.8 Critical remote command injection vulnerability affecting multiple Blink router models through the bs_SetSSIDHide function, allowing unauthenticated attackers to execute arbitrary commands with full system compromise. The vulnerability impacts 8 distinct product lines across versions ranging from v1.0.0 to v4.0.0, with a CVSS score of 9.8 indicating severe severity due to network accessibility, low attack complexity, and no privilege requirements. This represents an actively exploitable flaw affecting home and small business network infrastructure with potential for widespread compromise. | ACT NOW CVE-2025-33073 8.8 Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attackers to escalate privileges over the network. KEV-listed with EPSS 57.6% and public PoC, this vulnerability in the core Windows file sharing protocol affects every Windows system on the network, enabling lateral movement from any compromised domain account to SYSTEM-level access on SMB-accessible systems. | ACT NOW CVE-2025-33053 8.8 Windows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables remote code execution over a network. KEV-listed with EPSS 48.5% and public PoC, this vulnerability allows attackers to craft malicious .url files that execute arbitrary code when opened, bypassing the security restrictions normally applied to internet-sourced shortcut files. | ACT NOW CVE-2025-49136 9.0 A security vulnerability in version 4.0.0 and (CVSS 9.0) that allows capturing of env variables. Risk factors: EPSS 41% exploitation probability, public PoC available. Vendor patch is available. | ACT NOW CVE-2025-49619 8.5 Skyvern versions through 0.1.85 contain a server-side template injection (SSTI) vulnerability in the Prompt field of workflow blocks (specifically Navigation v2 Block) that allows authenticated users to inject malicious Jinja2 template expressions. These expressions are evaluated server-side without proper sanitization, enabling blind remote code execution. With a CVSS score of 8.5, this vulnerability requires valid authentication but has high confidentiality impact and crosses trust boundaries (CVSS:3.1/S:C). | ACT NOW CVE-2025-45854 10.0 Unauthenticated RCE in JEHC-BPM 2.0.1 via execParams. EPSS 17.3%. PoC and patch available. CVSS 10.0. | EMERGENCY CVE-2025-44148 9.8 XSS in MailEnable before v10 via failure.aspx. EPSS 11.5%. PoC available. | ACT NOW CVE-2025-21479 8.6 A second Qualcomm GPU micronode memory corruption vulnerability (CVE-2025-21479, CVSS 8.6) exists in the unauthorized command execution path during specific GPU command sequences. KEV-listed alongside CVE-2025-21480, this indicates a systemic issue in Qualcomm's GPU micronode command validation that is being actively exploited in mobile attack chains. | ACT NOW CVE-2025-27038 7.5 Qualcomm Adreno GPU drivers in Chrome contain a use-after-free vulnerability (CVE-2025-27038, CVSS 7.5) enabling memory corruption during graphics rendering. KEV-listed, this vulnerability can be triggered through Chrome on Android devices with Qualcomm chipsets, providing a kernel-level exploitation path from web content. | ACT NOW CVE-2025-21480 8.6 Qualcomm GPU micronode contains a memory corruption vulnerability (CVE-2025-21480, CVSS 8.6) caused by unauthorized command execution during specific GPU command sequences. KEV-listed, this vulnerability enables privilege escalation from the GPU context, potentially allowing app-level attackers to gain kernel access through the GPU driver on Qualcomm-based Android devices. | ACT NOW CVE-2025-5419 8.8 Chrome's V8 JavaScript engine contains an out-of-bounds read and write vulnerability (CVE-2025-5419, CVSS 8.8) enabling remote heap corruption through crafted HTML pages. KEV-listed with EPSS 3.0% and public PoC, this vulnerability provides both read and write primitives in V8's heap, making it highly reliable for exploitation. | EMERGENCY CVE-2025-5086 9.0 Dassault Systemes DELMIA Apriso (releases 2020-2025) contains an unauthenticated deserialization vulnerability (CVE-2025-5086, CVSS 9.0) that enables remote code execution on manufacturing execution systems. KEV-listed with EPSS 39.2% and public PoC, this vulnerability threatens industrial manufacturing operations by targeting the MES (Manufacturing Execution System) layer that controls production processes. | ACT NOW CVE-2025-49113 9.9 Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes. | ACT NOW CVE-2025-48928 4.0 The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-48927 5.3 The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in May 2025. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-48828 9.0 vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or later allow unauthenticated access to protected API controllers. The /api.php endpoint fails to properly enforce method visibility on PHP 8.1+, enabling attackers to invoke internal API methods that should be restricted, as exploited in the wild in May 2025. | ACT NOW CVE-2025-48827 10.0 vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 are vulnerable to remote code execution through crafted template conditional expressions. Attackers abuse PHP's alternative function invocation syntax to bypass template engine security checks and execute arbitrary PHP code, as actively exploited in the wild in May 2025. |

ACT NOW CVE-2025-52488 8.6 DNN (DotNetNuke) CMS versions 6.0.0 through 10.0.0 contain a vulnerability that can expose NTLM hashes to a third-party SMB server. Through a specially crafted series of interactions, an attacker can force the DNN server to authenticate to an attacker-controlled SMB server, capturing NTLM credential hashes for offline cracking. | ACT NOW CVE-2025-6218 7.8 WinRAR contains a directory traversal vulnerability (CVE-2025-6218, CVSS 7.8) enabling remote code execution when users extract crafted archives. KEV-listed with EPSS 4.7% and public PoC, this vulnerability allows archive files to write outside the extraction directory, placing malicious files in startup folders or other sensitive locations. Given WinRAR's 500+ million user base, this is a high-impact social engineering vector. | EMERGENCY CVE-2025-6216 9.8 Allegra project tracking software contains an authentication bypass in the password recovery token generation. Unauthenticated remote attackers can calculate the token expiration date and generate valid password reset tokens, allowing them to reset any user's password including administrators. | EMERGENCY CVE-2025-25038 9.8 MiniDVBLinux version 5.4 and earlier contains an unauthenticated OS command injection in the web-based management interface. The DVB streaming platform fails to sanitize user input before passing it to operating system commands, enabling remote attackers to execute arbitrary commands on the media server. | EMERGENCY CVE-2025-25034 9.3 SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 contain a PHP object injection vulnerability via the SugarRestSerialize.php script. The rest_data parameter is passed to unserialize() without validation, allowing unauthenticated attackers to inject malicious PHP objects for remote code execution. | EMERGENCY CVE-2025-49132 10.0 Pterodactyl game server management panel prior to version 1.11.11 contains an unauthenticated remote code execution via the /locales/locale.json endpoint. By manipulating the locale and namespace query parameters, attackers can execute arbitrary code on the panel server, gaining control over all managed game servers. | ACT NOW CVE-2025-50201 9.8 Critical OS Command Injection vulnerability in WeGIA (a web management system for charitable institutions) versions prior to 3.4.2, affecting the /html/configuracao/debug_info.php endpoint. An unauthenticated attacker can inject arbitrary operating system commands via the unsanitized 'branch' parameter, achieving remote code execution (RCE) with www-data user privileges. With a CVSS score of 9.8 and network-based attack vector requiring no authentication or user interaction, this represents an immediate and severe threat to all unpatched WeGIA deployments. | ACT NOW CVE-2025-34511 8.8 Sitecore PowerShell Extensions through version 7.0 allows authenticated users to upload arbitrary files including ASPX webshells via crafted HTTP requests. The unrestricted file upload bypasses content type restrictions, enabling remote code execution on the Sitecore IIS server with any authenticated account. | ACT NOW CVE-2025-34510 8.8 Sitecore Experience Manager, Platform, and Commerce versions 9.0 through 10.4 contain a Zip Slip vulnerability that allows authenticated attackers to write arbitrary files outside the intended upload directory. By crafting ZIP archives with path traversal entries, attackers can overwrite application files and achieve remote code execution. | ACT NOW CVE-2025-34509 7.5 Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 through 10.4.1 contain a hardcoded administrative user account that allows unauthenticated remote attackers to gain unauthorized access to sensitive administrative APIs over HTTP without authentication. This vulnerability has a CVSS score of 7.5 (High) and enables confidentiality breach through direct API access; exploitation likelihood is high due to the low attack complexity and lack of authentication requirements. | ACT NOW CVE-2025-5777 7.5 Citrix NetScaler ADC and Gateway contain an input validation vulnerability (CVE-2025-5777, CVSS 7.5) leading to memory overread when configured as VPN or AAA virtual server. KEV-listed with EPSS 69.8% and public PoC, this vulnerability enables remote unauthenticated attackers to read sensitive data from the appliance's memory, potentially exposing session tokens, credentials, and encryption keys — similar to the Heartbleed class of memory disclosure bugs. | ACT NOW CVE-2025-6095 7.3 A SQL injection vulnerability (CVSS 7.3). Risk factors: EPSS 28% exploitation probability, public PoC available. | EMERGENCY CVE-2025-45985 9.8 Critical remote command injection vulnerability affecting multiple Blink router models through the bs_SetSSIDHide function, allowing unauthenticated attackers to execute arbitrary commands with full system compromise. The vulnerability impacts 8 distinct product lines across versions ranging from v1.0.0 to v4.0.0, with a CVSS score of 9.8 indicating severe severity due to network accessibility, low attack complexity, and no privilege requirements. This represents an actively exploitable flaw affecting home and small business network infrastructure with potential for widespread compromise. | ACT NOW CVE-2025-33073 8.8 Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attackers to escalate privileges over the network. KEV-listed with EPSS 57.6% and public PoC, this vulnerability in the core Windows file sharing protocol affects every Windows system on the network, enabling lateral movement from any compromised domain account to SYSTEM-level access on SMB-accessible systems. | ACT NOW CVE-2025-33053 8.8 Windows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables remote code execution over a network. KEV-listed with EPSS 48.5% and public PoC, this vulnerability allows attackers to craft malicious .url files that execute arbitrary code when opened, bypassing the security restrictions normally applied to internet-sourced shortcut files. | ACT NOW CVE-2025-49136 9.0 A security vulnerability in version 4.0.0 and (CVSS 9.0) that allows capturing of env variables. Risk factors: EPSS 41% exploitation probability, public PoC available. Vendor patch is available. | ACT NOW CVE-2025-49619 8.5 Skyvern versions through 0.1.85 contain a server-side template injection (SSTI) vulnerability in the Prompt field of workflow blocks (specifically Navigation v2 Block) that allows authenticated users to inject malicious Jinja2 template expressions. These expressions are evaluated server-side without proper sanitization, enabling blind remote code execution. With a CVSS score of 8.5, this vulnerability requires valid authentication but has high confidentiality impact and crosses trust boundaries (CVSS:3.1/S:C). | ACT NOW CVE-2025-45854 10.0 Unauthenticated RCE in JEHC-BPM 2.0.1 via execParams. EPSS 17.3%. PoC and patch available. CVSS 10.0. | EMERGENCY CVE-2025-44148 9.8 XSS in MailEnable before v10 via failure.aspx. EPSS 11.5%. PoC available. | ACT NOW CVE-2025-21479 8.6 A second Qualcomm GPU micronode memory corruption vulnerability (CVE-2025-21479, CVSS 8.6) exists in the unauthorized command execution path during specific GPU command sequences. KEV-listed alongside CVE-2025-21480, this indicates a systemic issue in Qualcomm's GPU micronode command validation that is being actively exploited in mobile attack chains. | ACT NOW CVE-2025-27038 7.5 Qualcomm Adreno GPU drivers in Chrome contain a use-after-free vulnerability (CVE-2025-27038, CVSS 7.5) enabling memory corruption during graphics rendering. KEV-listed, this vulnerability can be triggered through Chrome on Android devices with Qualcomm chipsets, providing a kernel-level exploitation path from web content. | ACT NOW CVE-2025-21480 8.6 Qualcomm GPU micronode contains a memory corruption vulnerability (CVE-2025-21480, CVSS 8.6) caused by unauthorized command execution during specific GPU command sequences. KEV-listed, this vulnerability enables privilege escalation from the GPU context, potentially allowing app-level attackers to gain kernel access through the GPU driver on Qualcomm-based Android devices. | ACT NOW CVE-2025-5419 8.8 Chrome's V8 JavaScript engine contains an out-of-bounds read and write vulnerability (CVE-2025-5419, CVSS 8.8) enabling remote heap corruption through crafted HTML pages. KEV-listed with EPSS 3.0% and public PoC, this vulnerability provides both read and write primitives in V8's heap, making it highly reliable for exploitation. | EMERGENCY CVE-2025-5086 9.0 Dassault Systemes DELMIA Apriso (releases 2020-2025) contains an unauthenticated deserialization vulnerability (CVE-2025-5086, CVSS 9.0) that enables remote code execution on manufacturing execution systems. KEV-listed with EPSS 39.2% and public PoC, this vulnerability threatens industrial manufacturing operations by targeting the MES (Manufacturing Execution System) layer that controls production processes. | ACT NOW CVE-2025-49113 9.9 Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes. | ACT NOW CVE-2025-48928 4.0 The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-48927 5.3 The TeleMessage service through 2025-05-05 configures Spring Boot Actuator with an exposed heap dump endpoint at a /heapdump URI, as exploited in the wild in May 2025. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available. | ACT NOW CVE-2025-48828 9.0 vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 running on PHP 8.1 or later allow unauthenticated access to protected API controllers. The /api.php endpoint fails to properly enforce method visibility on PHP 8.1+, enabling attackers to invoke internal API methods that should be restricted, as exploited in the wild in May 2025. | ACT NOW CVE-2025-48827 10.0 vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 are vulnerable to remote code execution through crafted template conditional expressions. Attackers abuse PHP's alternative function invocation syntax to bypass template engine security checks and execute arbitrary PHP code, as actively exploited in the wild in May 2025. |