Skip to main content
CVE-2025-2828 CRITICAL POC PATCH Act Now

A remote code execution vulnerability in langchain-ai/langchain (CVSS 10.0). Risk factors: public PoC available. Vendor patch is available.

Microsoft SSRF Langchain Red Hat AI / ML
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-46101 CRITICAL POC Act Now

A SQL injection vulnerability (CVSS 9.8) that allows a remote attacker. Risk factors: public PoC available.

PHP SQLi Learning Management System Sharable Content Object Reference Model
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-52562 CRITICAL PATCH Act Now

A path traversal vulnerability in versions 3.9.0-rc3 to (CVSS 10.0) that allows the attacker. Critical severity with potential for significant impact on affected systems.

PHP Path Traversal
NVD GitHub
CVSS 3.1
10.0
EPSS
1.9%
CVE-2025-6512 CRITICAL PATCH Act Now

CVE-2025-6512 is a critical privilege escalation vulnerability in BRAIN2 where unauthenticated attackers can inject malicious scripts into reports on non-admin client systems, which are then executed with administrator privileges on the BRAIN2 server. This represents a complete system compromise with CVSS 10.0 severity, affecting all users regardless of their local privilege level. No authentication is required to exploit this vulnerability, making it immediately exploitable in network environments.

RCE Code Injection Privilege Escalation
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2023-47029 CRITICAL Act Now

CVE-2023-47029 is a critical remote code execution vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated attackers to execute arbitrary code and exfiltrate sensitive information through a crafted POST request to the UserService component. With a CVSS score of 9.8 and network-based attack vector requiring no privileges or user interaction, this vulnerability poses an immediate threat to NCR point-of-sale and payment terminal environments. The vulnerability's status as actively exploited (KEV designation) and the existence of public proof-of-concept code indicate high real-world exploitation risk.

RCE Terminal Handler
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-47030 CRITICAL Act Now

CVE-2023-47030 is a critical remote code execution vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated attackers to execute arbitrary code and access sensitive information through improper input validation in the UserService SOAP API endpoint. The vulnerability affects point-of-sale and terminal systems used in retail and hospitality environments, enabling complete system compromise without authentication or user interaction.

RCE Terminal Handler
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-47032 CRITICAL Act Now

CVE-2023-47032 is a critical remote code execution vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated attackers to execute arbitrary code by sending malicious scripts to the UserService SOAP API endpoint. The vulnerability affects NCR's point-of-sale terminal handler software and carries a CVSS score of 9.8 (critical severity). There is no indication of active exploitation in the wild, but the network-accessible SOAP API, lack of authentication requirements, and high-severity CWE-94 (Improper Control of Generation of Code) suggest this poses significant risk to NCR terminal deployments.

RCE Terminal Handler
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-48978 CRITICAL Act Now

A remote code execution vulnerability (CVSS 9.8) that allows a remote attacker. Critical severity with potential for significant impact on affected systems.

RCE Itm Web Terminal
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-52921 CRITICAL Act Now

A remote code execution vulnerability in Innoshop (CVSS 9.9). Critical severity with potential for significant impact on affected systems.

PHP RCE
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2023-47031 CRITICAL Act Now

CVE-2023-47031 is a critical privilege escalation vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated remote attackers to gain administrative privileges by crafting malicious POST requests to SOAP API endpoints (grantRolesToUsers, grantRolesToGroups, grantRolesToOrganization). With a CVSS score of 9.8 and attack vector requiring no authentication or user interaction, this vulnerability poses an immediate threat to exposed NCR Terminal Handler installations. The vulnerability has been confirmed with public disclosure and is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

Terminal Handler Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2023-47295 CRITICAL Act Now

CVE-2023-47295 is a critical CSV injection vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated remote attackers to execute arbitrary commands through crafted payloads injected into any text input field. The vulnerability has a CVSS 9.8 score indicating maximum severity due to network accessibility, no authentication requirements, and complete system compromise potential (confidentiality, integrity, and availability impact). This represents a direct remote code execution risk affecting payment terminal infrastructure.

Code Injection Terminal Handler
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2023-47297 CRITICAL Act Now

CVE-2023-47297 is a critical settings manipulation vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated remote attackers to execute arbitrary commands and modify system security auditing configurations without authentication. With a CVSS score of 9.8 and network-accessible attack vector, this vulnerability poses an immediate threat to NCR terminal deployments in retail and financial environments. The vulnerability's presence in point-of-sale systems and payment terminals makes it particularly dangerous for organizations processing financial transactions.

Information Disclosure Terminal Handler
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-45347 CRITICAL Act Now

CVE-2024-45347 is a critical authentication bypass vulnerability in Xiaomi Mi Connect Service APP caused by flawed validation logic that allows unauthenticated attackers on the same network segment to gain unauthorized access to victim devices with complete control (confidentiality, integrity, and availability compromise). With a CVSS score of 9.6 and CVSS vector indicating adjacent network access with no privileges or user interaction required, this vulnerability represents a severe risk to Xiaomi device users, particularly in shared network environments (corporate WiFi, home networks, public hotspots).

Authentication Bypass
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-52935 CRITICAL Act Now

CVE-2025-52935 is an integer overflow/wraparound vulnerability in DragonflyDB's Lua struct module (lua_struct.C) that allows authenticated attackers with low privileges to trigger memory corruption, information disclosure, and potential code execution. The vulnerability affects DragonflyDB versions 1.30.1, 1.30.0, and 1.28.18, and carries a critical CVSS v4.0 score of 9.4 with high impact across confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed at this time, but the authenticated attack vector and high severity warrant immediate patching.

Integer Overflow Denial Of Service
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2025-52939 CRITICAL Act Now

CVE-2025-52939 is an out-of-bounds write vulnerability in the Lua interpreter modules (ldebug.c, lvm.c) bundled with NotepadNext through version 0.11, allowing local attackers without privileges to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. With a CVSS score of 9.4 and local attack vector requiring no user interaction, this represents a critical local privilege escalation and code execution risk; KEV status and active exploitation data are not confirmed in available intelligence, but the high CVSS and presence of affected interpreter code suggest this warrants immediate patching.

Buffer Overflow
NVD GitHub
CVSS 4.0
9.4
EPSS
0.0%
CVE-2025-52936 CRITICAL PATCH Act Now

CVE-2025-52936 is a symlink following vulnerability (CWE-59) in sslh before version 2.2.2 that allows local attackers with low privileges to bypass file access controls and potentially achieve high-impact confidentiality and integrity violations. The vulnerability enables attackers to read, modify, or delete sensitive files through improper resolution of symbolic links during file operations. With a CVSS v4.0 score of 9.3 and an attack vector limited to local access requiring low privileges, this is a critical local privilege escalation risk for multi-user systems running vulnerable sslh versions.

Information Disclosure Suse
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-6513 CRITICAL PATCH Act Now

CVE-2025-6513 is a local privilege escalation vulnerability in the BRAIN2 application where standard Windows users can access and decrypt the application's database configuration file without authentication. This allows unprivileged local users to obtain database credentials and potentially compromise sensitive data, with a CVSS score of 9.3 indicating critical severity. The vulnerability affects system confidentiality, integrity, and availability across trust boundaries.

Microsoft Information Disclosure Windows Privilege Escalation
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-6545 CRITICAL PATCH Act Now

CVE-2025-6545 is an improper input validation vulnerability in the pbkdf2 library (versions 3.0.10 through 3.1.2) affecting the lib/to-buffer.js file that enables signature spoofing through inadequate validation mechanisms. Attackers with network access and minimal attack complexity can compromise the integrity of PBKDF2-derived cryptographic signatures, potentially allowing unauthorized authentication or data tampering. The high CVSS score of 9.1 reflects critical integrity and scope impacts, though real-world exploitation likelihood depends on confirmation of active exploitation and proof-of-concept availability.

Information Disclosure Red Hat Suse
NVD GitHub
CVSS 4.0
9.1
EPSS
0.1%
CVE-2025-6547 CRITICAL PATCH Act Now

CVE-2025-6547 is an improper input validation vulnerability in the pbkdf2 cryptographic library (versions ≤3.1.2) that allows attackers to spoof cryptographic signatures through inadequate validation mechanisms. This affects any application using vulnerable pbkdf2 versions for password hashing or key derivation, potentially compromising authentication and integrity verification. With a CVSS score of 9.1 and high integrity/signature impact ratings, this vulnerability has significant real-world implications for systems relying on pbkdf2 for security-critical operations.

Authentication Bypass Red Hat Suse
NVD GitHub
CVSS 4.0
9.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy