Multiple Linksys E-Series router models contain an unauthenticated OS command injection vulnerability in the /tmUnblock.cgi and /hndUnblock.cgi endpoints accessible on port 8080. The ttcp_ip parameter is passed directly to a system shell without sanitization, enabling remote root-level command execution on the router.
Authentication bypass in Quest KACE Systems Management Appliance allows remote unauthenticated attackers to impersonate any user and achieve complete administrative takeover via SSO mechanism flaws. Confirmed actively exploited (CISA KEV) with publicly available exploit code. Affects versions 13.0.x through 14.1.x across five major release branches. CVSS 10.0 (critical) with changed scope indicates full system compromise. EPSS score of 0.16% appears artificially low given confirmed active exploitation, suggesting targeted attacks rather than widespread scanning.
White-labeled DVRs manufactured by TVT contain an unauthenticated OS command injection in the 'Cross Web Server' HTTP service on ports 81/82. The URI path handling for language extraction fails to sanitize input, enabling remote attackers to execute arbitrary commands on the surveillance DVR.
CVE-2025-34035 is a critical OS command injection vulnerability in EnGenius EnShare Cloud Service versions 1.4.11 and earlier, affecting the usbinteract.cgi script which fails to sanitize the 'path' parameter. Unauthenticated remote attackers can inject arbitrary shell commands executed with root privileges, resulting in complete system compromise. Active exploitation has been documented by the Shadowserver Foundation as of 2024-12-05, indicating real-world threat activity.
An arbitrary file upload vulnerability exists in the Zhiyuan OA platform via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-01 UTC.
A remote code execution vulnerability in OS4Ed Open Source Information System Community (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
The Moodle LMS Jmol plugin version 6.1 and earlier contains a path traversal vulnerability in jsmol.php. The query parameter is passed directly to file_get_contents() without validation, allowing unauthenticated attackers to read arbitrary files from the Moodle server including configuration files with database credentials.
A privilege escalation vulnerability (CVSS 9.6) that allows an unauthenticated attacker. Risk factors: public PoC available.
CVE-2025-34033 is an OS command injection vulnerability in Blue Angel Software Suite's webctrl.cgi script that allows authenticated attackers to execute arbitrary commands as root via unsanitized input to the ping_addr parameter. The vulnerability affects embedded Linux devices running the Blue Angel Software Suite, and successful exploitation grants complete system compromise with command output visible in the web interface. Active exploitation was confirmed by Shadowserver Foundation on 2025-01-26, with CVSS 8.8 severity and root-level code execution impact.
A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available.
CVE-2025-6565 is a critical stack-based buffer overflow vulnerability in Netgear WNCE3001 v1.0.0.50 affecting the HTTP POST request handler's Host parameter processing. An authenticated attacker can remotely exploit this to achieve complete system compromise including confidentiality, integrity, and availability violations. Public exploitation code exists, elevating immediate risk.
CVE-2025-34034 is a hardcoded credential vulnerability in Blue Angel Software Suite deployed on embedded Linux systems that allows unauthenticated or low-privilege attackers to gain administrative access to the device's web interface through undisclosed default accounts. The vulnerability carries a CVSS score of 8.8 (High) and has been actively exploited in the wild as evidenced by Shadowserver Foundation observations on 2025-01-26 UTC. This is a critical authentication bypass affecting embedded/IoT deployments with significant real-world exploitation risk.
CVE-2025-52566 is a signed vs. unsigned integer overflow vulnerability in llama.cpp's tokenizer (llama_vocab::tokenize function) that enables heap buffer overflow during text tokenization. This affects all versions of llama.cpp prior to b5721, and attackers can trigger the vulnerability with specially crafted text input during the inference process, potentially achieving code execution with high confidentiality, integrity, and availability impact. The vulnerability requires local access and user interaction but has a high CVSS score of 8.6; KEV status and active exploitation data are not currently available, but the patch exists in version b5721.
CVE-2025-34038 is an unauthenticated SQL injection vulnerability in Weaver E-cology 8.0's getdata.jsp endpoint that allows attackers to execute arbitrary SQL queries by injecting malicious code through the unsanitized 'sql' parameter in the getSelectAllIds() method. The vulnerability affects Weaver E-cology 8.0 and enables attackers to extract sensitive data including administrator password hashes without authentication. Active exploitation has been observed by Shadowserver Foundation as of 2025-02-05, indicating this is a real and present threat in the wild.
CVE-2025-48466 is a security vulnerability (CVSS 8.1). Risk factors: public PoC available.
Kanboard prior to version 1.2.46 contains a host header injection vulnerability that allows unauthenticated attackers to craft malicious password reset emails with attacker-controlled URLs when the application_url configuration is unset (default state). If a victim clicks the poisoned reset link, their password reset token is leaked to the attacker's domain, enabling complete account takeover including administrative accounts. This vulnerability requires user interaction (clicking a link) but affects all users initiating password resets on vulnerable instances, making it a practical and high-impact attack vector for account compromise.
CVE-2025-44531 is a Denial of Service vulnerability in Realtek RTL8762E SDK v1.4.0 that allows unauthenticated remote attackers to crash Bluetooth-enabled devices by sending a specially crafted packet before the pairing public key exchange is completed. The vulnerability affects Bluetooth Low Energy (BLE) implementations using the vulnerable SDK version, with a CVSS score of 7.5 indicating high severity. No public exploit code or active exploitation in the wild has been reported at the time of this analysis.
CVE-2025-2962 is a denial-of-service vulnerability in a DNS implementation that triggers an infinite loop condition, allowing unauthenticated remote attackers to crash DNS services with high availability impact. The vulnerability affects DNS resolver implementations and has a CVSS score of 7.5 (High) with a network-based attack vector requiring no privileges or user interaction. While the CVE ID and basic metadata are provided, specific product names, versions, KEV status, EPSS scores, and public proof-of-concept availability cannot be confirmed from the limited data supplied.
A cross-site scripting vulnerability in Netbox Community 4.1.7 (CVSS 7.1). Risk factors: public PoC available.
PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Insecure Direct Object Reference (IDOR) in odms/request-details.php.
An OS command injection vulnerability exists in the Chinese versions of Sangfor Endpoint Detection and Response (EDR) management platform versions 3.2.16, 3.2.17, and 3.2.19. The vulnerability allows unauthenticated attackers to construct and send malicious HTTP requests to the EDR Manager interface, leading to arbitrary command execution with elevated privileges. This flaw only affects the Chinese-language EDR builds. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.
CVE-2024-56731 is a critical remote code execution vulnerability in Gogs (self-hosted Git service) versions prior to 0.13.3, where unprivileged users can delete files in the .git directory and achieve arbitrary command execution due to an incomplete patch of CVE-2024-39931. An unauthenticated remote attacker can execute arbitrary commands with the privileges of the RUN_USER account, compromising all code repositories and user data on affected instances. This represents an actively exploitable vulnerability with a perfect CVSS 3.1 score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no privilege requirements, and complete system compromise.
CVE-2025-52572 is a critical remote code execution vulnerability in Hikka, a Telegram userbot, affecting all versions across all platforms. The vulnerability exists in two exploitation paths: an unauthenticated web interface allowing direct RCE via attacker-controlled Telegram accounts, and an authenticated interface where insufficient UI warnings trick users into granting dangerous permissions, enabling both RCE and Telegram account compromise. Scenario 2 has been actively exploited in the wild, with a CVSS 10.0 score reflecting network-accessible unauthenticated attack paths and complete system compromise potential.
A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.
In Netbox Community 4.1.7, the login page is vulnerable to cross-site scripting (XSS), which allows a privileged, authenticated attacker to exfiltrate user input from the login form.
In Netbox Community 4.1.7, once authenticated, Configuration History > Add`is vulnerable to cross-site scripting (XSS) due to the `current value` field rendering user supplied html. An authenticated attacker can leverage this to add malicious JavaScript to the any banner field. Once a victim edits a Configuration History version or attempts to Add a new version, the XSS payload will trigger.
PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Cross Site Scripting (XSS) in odms/admin/view-user-queries.php.
PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Cross Site Scripting (XSS) in /admin/view-booking-detail.php and /admin/invoice-generating.php.
A code injection vulnerability exists in Yonyou UFIDA NC v6.5 and prior due to the exposure of the BeanShell testing servlet (bsh.servlet.BshServlet) without proper access controls. The servlet allows unauthenticated remote attackers to execute arbitrary Java code via the bsh.script parameter. This can be exploited to run system commands and ultimately gain full control over the target server. The issue is rooted in a third-party JAR component bundled with the application, and the servlet is accessible without authentication on vulnerable installations. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
CVE-2025-4378 is a critical authentication vulnerability in Ataturk University's ATA-AOF Mobile Application that combines cleartext transmission of sensitive information with hard-coded credentials, allowing unauthenticated attackers over the network to bypass authentication and abuse user accounts. All versions before 20.06.2025 are affected with a perfect CVSS 3.1 score of 10.0, indicating maximum severity across confidentiality, integrity, and availability dimensions.
CVE-2024-37743 is a critical remote code execution vulnerability in mmzdev KnowledgeGPT v0.0.5 that allows unauthenticated attackers to execute arbitrary code through a flaw in the Document Display Component. The vulnerability has a CVSS score of 9.8 and CWE-94 classification (improper control of generation of code), indicating unsafe code generation or deserialization. Given the high CVSS and network-accessible attack vector with no authentication requirements, this represents an actively exploitable critical risk to any organization running the affected version.
A security vulnerability in the ESP-NOW protocol implementation within the ESP Wi-Fi component of (CVSS 9.8). Critical severity with potential for significant impact on affected systems. Vendor patch is available.
CVE-2025-6559 is an unauthenticated OS Command Injection vulnerability affecting multiple Sapido wireless router models that are out of support. Remote attackers can inject and execute arbitrary operating system commands with no authentication required, achieving complete system compromise. The CVSS 9.8 Critical severity reflects the trivial attack vector (network-accessible, no user interaction required) and complete impact on confidentiality, integrity, and availability.
CVE-2025-48890 is a critical OS command injection vulnerability in the miniigd SOAP service affecting WRH-733GBK and WRH-733GWH network storage devices. Remote unauthenticated attackers can execute arbitrary OS commands by sending specially crafted requests, achieving complete system compromise (CVSS 9.8). With an attack vector of Network/Low complexity/No privileges required, this vulnerability poses immediate risk to exposed devices.
CVE-2025-43879 is a critical OS command injection vulnerability in Whirlpool refrigerator models WRH-733GBK and WRH-733GWH that allows unauthenticated remote attackers to execute arbitrary operating system commands via the telnet function. With a CVSS 9.8 score and network-accessible attack vector requiring no authentication or user interaction, this vulnerability poses immediate risk to any connected affected appliance. The vulnerability's presence in IoT/appliance firmware suggests potential for botnet recruitment, lateral network movement, or data exfiltration from vulnerable devices.
A denial of service vulnerability (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
CVE-2025-6560 is a critical authentication bypass vulnerability affecting multiple Sapido wireless router models, where unauthenticated remote attackers can directly access system configuration files containing plaintext administrator credentials. The affected models are end-of-life products with no vendor patches available; this vulnerability carries a CVSS 9.8 rating and likely has exploitation activity given the simplicity of the attack vector and lack of defensive complexity. Immediate device replacement is the only viable remediation.
Apache Airflow Providers Snowflake versions before 6.4.0 contain a Special Element Injection vulnerability (CWE-75) in the CopyFromExternalStageToSnowflakeOperator that fails to properly sanitize table and stage parameters, allowing unauthenticated attackers to execute arbitrary SQL injection attacks with complete system compromise (CVSS 9.8). This is a critical remote vulnerability requiring network access only, with no authentication or user interaction needed, making it a high-priority patch regardless of KEV/EPSS status.
ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain an improper authentication vulnerability (CWE-287) that allows unauthenticated network attackers to completely bypass authentication mechanisms and gain unauthorized permissions within the application. With a CVSS 9.8 score reflecting network-accessible, low-complexity exploitation requiring no user interaction or privileges, this represents a critical remote authentication bypass affecting all confidentiality, integrity, and availability of the system. The vulnerability's presence in a widely-deployed identity and access control product makes this a high-priority threat requiring immediate patching.
CVE-2025-6433 is a critical WebAuthn specification violation in Firefox and Thunderbird that allows attackers to present WebAuthn authentication challenges over non-secure TLS connections with user-granted exceptions. This bypasses the WebAuthn requirement for secure transport without errors, enabling credential theft and account compromise. Firefox < 140 and Thunderbird < 140 are affected; the network-based attack requires no privileges or user interaction beyond the initial certificate exception grant, resulting in a CVSS 9.8 critical rating.
CVE-2025-52571 is a critical authentication bypass vulnerability in Hikka Telegram userbot affecting versions below 1.6.2 that allows unauthenticated attackers to gain unauthorized access to victims' Telegram accounts and full server control. The vulnerability has a CVSS score of 9.6 (Critical) with network-based exploitation requiring only user interaction; patch version 1.6.2 is available as the sole remediation with no known workarounds.
CVE-2025-32977 is a critical unauthenticated backup file upload vulnerability in Quest KACE Systems Management Appliance (SMA) that allows attackers to bypass signature validation and upload malicious backup content, potentially achieving remote code execution with system-wide impact. The vulnerability affects SMA versions 13.0.x through 14.1.x and requires only user interaction (UI:R) but no authentication (PR:N), with a CVSS 9.6 severity rating indicating high exploitability.
CVE-2025-6580 is a critical SQL injection vulnerability in SourceCodester Best Salon Management System 1.0 affecting the Login component's Username parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing exploitation risk.
CVE-2025-6579 is a critical SQL injection vulnerability in code-projects Car Rental System 1.0 affecting the /message_admin.php file's Message parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available and may be actively exploited in the wild.
CVE-2025-6578 is a critical SQL injection vulnerability in Simple Online Hotel Reservation System version 1.0 affecting the /admin/delete_account.php file through unsanitized admin_id parameter manipulation. An unauthenticated remote attacker can execute arbitrary SQL queries to read, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk for deployed instances.
CVE-2025-6567 is a critical SQL injection vulnerability in Campcodes Online Recruitment Management System version 1.0, specifically in the Recruitment/admin/view_application.php file where the ID parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of recruitment records. The vulnerability has been publicly disclosed with proof-of-concept code available, and exploitation requires no special privileges or user interaction.
CVE-2025-2566 is an unsafe Java deserialization vulnerability in Kaleris NAVIS N4 ULC that allows unauthenticated attackers to execute arbitrary code on affected servers through specially crafted requests. The vulnerability affects Kaleris NAVIS N4 Ultra Light Client installations and presents critical risk due to its network-accessible attack vector, lack of authentication requirements, and remote code execution impact. Given the CVSS 9.3 score and unauthenticated attack surface, this should be treated as a priority vulnerability for organizations running affected versions.
A vulnerability was found in oatpp Oat++ up to 1.3.1. It has been declared as critical. This vulnerability affects the function deserializeArray of the file src/oatpp/json/Deserializer.cpp. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
A authentication bypass vulnerability in Art-in Bilişim Teknolojileri ve Yazılım Hizm (CVSS 9.3). Critical severity with potential for significant impact on affected systems.
A security vulnerability in Devtools. This vulnerability affects Firefox (CVSS 9.1). Critical severity with potential for significant impact on affected systems.