THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — June 24, 2025

129 CVEs tracked today. 28 Critical, 40 High, 46 Medium, 4 Low.

CVE-2025-34037 CRITICAL CVSS 10.0
Multiple Linksys E-Series router models contain an unauthenticated OS command injection vulnerability in the /tmUnblock.cgi and /hndUnblock.cgi endpoints accessible on port 8080. The ttcp_ip parameter is passed directly to a system shell without sanitization, enabling remote root-level command execution on the router.

RCE Command Injection
CVE-2025-34036 CRITICAL CVSS 9.8
White-labeled DVRs manufactured by TVT contain an unauthenticated OS command injection in the 'Cross Web Server' HTTP service on ports 81/82. The URI path handling for language extraction fails to sanitize input, enabling remote attackers to execute arbitrary commands on the surveillance DVR.

Command Injection RCE Authentication Bypass Td 2932td Hp Firmware Td 2108ts Cl Firmware
CVE-2025-52572 CRITICAL CVSS 10.0
CVE-2025-52572 is a critical remote code execution vulnerability in Hikka, a Telegram userbot, affecting all versions across all platforms. The vulnerability exists in two exploitation paths: an unauthenticated web interface allowing direct RCE via attacker-controlled Telegram accounts, and an authenticated interface where insufficient UI warnings trick users into granting dangerous permissions, enabling both RCE and Telegram account compromise. Scenario 2 has been actively exploited in the wild, with a CVSS 10.0 score reflecting network-accessible unauthenticated attack paths and complete system compromise potential.

RCE
CVE-2025-52571 CRITICAL CVSS 9.6
CVE-2025-52571 is a critical authentication bypass vulnerability in Hikka Telegram userbot affecting versions below 1.6.2 that allows unauthenticated attackers to gain unauthorized access to victims' Telegram accounts and full server control. The vulnerability has a CVSS score of 9.6 (Critical) with network-based exploitation requiring only user interaction; patch version 1.6.2 is available as the sole remediation with no known workarounds.

Information Disclosure
CVE-2025-52471 CRITICAL CVSS 9.8
A security vulnerability in the ESP-NOW protocol implementation within the ESP Wi-Fi component of (CVSS 9.8). Critical severity with potential for significant impact on affected systems. Vendor patch is available.

RCE Esp Idf
CVE-2025-50213 CRITICAL CVSS 9.8
Apache Airflow Providers Snowflake versions before 6.4.0 contain a Special Element Injection vulnerability (CWE-75) in the CopyFromExternalStageToSnowflakeOperator that fails to properly sanitize table and stage parameters, allowing unauthenticated attackers to execute arbitrary SQL injection attacks with complete system compromise (CVSS 9.8). This is a critical remote vulnerability requiring network access only, with no authentication or user interaction needed, making it a high-priority patch regardless of KEV/EPSS status.

Apache SQLi Python Apache Airflow Providers Snowflake
CVE-2025-49853 CRITICAL CVSS 9.1
ControlID iDSecure On-premises versions 4.7.48.0 and prior contain SQL injection vulnerabilities that allow unauthenticated remote attackers to execute arbitrary SQL queries, potentially leaking sensitive information or modifying database contents. The CVSS 9.1 score reflects the critical nature (high confidentiality and integrity impact), though availability is not directly affected. Active exploitation status and proof-of-concept availability cannot be confirmed from provided data, but the unauthenticated, network-accessible attack vector makes this a high-priority vulnerability.

Information Disclosure Control Id Idsecure SQLi
CVE-2025-49851 CRITICAL CVSS 9.8
ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain an improper authentication vulnerability (CWE-287) that allows unauthenticated network attackers to completely bypass authentication mechanisms and gain unauthorized permissions within the application. With a CVSS 9.8 score reflecting network-accessible, low-complexity exploitation requiring no user interaction or privileges, this represents a critical remote authentication bypass affecting all confidentiality, integrity, and availability of the system. The vulnerability's presence in a widely-deployed identity and access control product makes this a high-priority threat requiring immediate patching.

Authentication Bypass Control Id Idsecure
CVE-2025-48890 CRITICAL CVSS 9.8
CVE-2025-48890 is a critical OS command injection vulnerability in the miniigd SOAP service affecting WRH-733GBK and WRH-733GWH network storage devices. Remote unauthenticated attackers can execute arbitrary OS commands by sending specially crafted requests, achieving complete system compromise (CVSS 9.8). With an attack vector of Network/Low complexity/No privileges required, this vulnerability poses immediate risk to exposed devices.

Command Injection RCE IoT Netgear
CVE-2025-48469 CRITICAL CVSS 9.6
A privilege escalation vulnerability (CVSS 9.6) that allows an unauthenticated attacker. Risk factors: public PoC available.

Privilege Escalation Authentication Bypass RCE Wise 4060lan Firmware Wise 4010lan Firmware
CVE-2025-43879 CRITICAL CVSS 9.8
CVE-2025-43879 is a critical OS command injection vulnerability in Whirlpool refrigerator models WRH-733GBK and WRH-733GWH that allows unauthenticated remote attackers to execute arbitrary operating system commands via the telnet function. With a CVSS 9.8 score and network-accessible attack vector requiring no authentication or user interaction, this vulnerability poses immediate risk to any connected affected appliance. The vulnerability's presence in IoT/appliance firmware suggests potential for botnet recruitment, lateral network movement, or data exfiltration from vulnerable devices.

Command Injection
CVE-2025-34041 CRITICAL CVSS 10.0
An OS command injection vulnerability exists in the Chinese versions of Sangfor Endpoint Detection and Response (EDR) management platform versions 3.2.16, 3.2.17, and 3.2.19. The vulnerability allows unauthenticated attackers to construct and send malicious HTTP requests to the EDR Manager interface, leading to arbitrary command execution with elevated privileges. This flaw only affects the Chinese-language EDR builds. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

Command Injection
CVE-2025-34040 CRITICAL CVSS 10.0
An arbitrary file upload vulnerability exists in the Zhiyuan OA platform via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-01 UTC.

File Upload RCE Path Traversal
CVE-2025-34039 CRITICAL CVSS 10.0
A code injection vulnerability exists in Yonyou UFIDA NC v6.5 and prior due to the exposure of the BeanShell testing servlet (bsh.servlet.BshServlet) without proper access controls. The servlet allows unauthenticated remote attackers to execute arbitrary Java code via the bsh.script parameter. This can be exploited to run system commands and ultimately gain full control over the target server. The issue is rooted in a third-party JAR component bundled with the application, and the servlet is accessible without authentication on vulnerable installations. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

Java Authentication Bypass
CVE-2025-34035 CRITICAL CVSS 9.8
CVE-2025-34035 is a critical OS command injection vulnerability in EnGenius EnShare Cloud Service versions 1.4.11 and earlier, affecting the usbinteract.cgi script which fails to sanitize the 'path' parameter. Unauthenticated remote attackers can inject arbitrary shell commands executed with root privileges, resulting in complete system compromise. Active exploitation has been documented by the Shadowserver Foundation as of 2024-12-05, indicating real-world threat activity.

Command Injection Esr900 Firmware Esr1200 Firmware Esr350 Firmware Esr300 Firmware
CVE-2025-34031 HIGH CVSS 7.5
The Moodle LMS Jmol plugin version 6.1 and earlier contains a path traversal vulnerability in jsmol.php. The query parameter is passed directly to file_get_contents() without validation, allowing unauthenticated attackers to read arbitrary files from the Moodle server including configuration files with database credentials.

PHP Path Traversal Moodle Information Disclosure Jmol
CVE-2025-32977 CRITICAL CVSS 9.6
CVE-2025-32977 is a critical unauthenticated backup file upload vulnerability in Quest KACE Systems Management Appliance (SMA) that allows attackers to bypass signature validation and upload malicious backup content, potentially achieving remote code execution with system-wide impact. The vulnerability affects SMA versions 13.0.x through 14.1.x and requires only user interaction (UI:R) but no authentication (PR:N), with a CVSS 9.6 severity rating indicating high exploitability.

Authentication Bypass
CVE-2025-32975 CRITICAL CVSS 10.0
A authentication bypass vulnerability (CVSS 10.0) that allows attackers. Risk factors: public PoC available.

Authentication Bypass
CVE-2025-6560 CRITICAL CVSS 9.8
CVE-2025-6560 is a critical authentication bypass vulnerability affecting multiple Sapido wireless router models, where unauthenticated remote attackers can directly access system configuration files containing plaintext administrator credentials. The affected models are end-of-life products with no vendor patches available; this vulnerability carries a CVSS 9.8 rating and likely has exploitation activity given the simplicity of the attack vector and lack of defensive complexity. Immediate device replacement is the only viable remediation.

Information Disclosure
CVE-2025-6559 CRITICAL CVSS 9.8
CVE-2025-6559 is an unauthenticated OS Command Injection vulnerability affecting multiple Sapido wireless router models that are out of support. Remote attackers can inject and execute arbitrary operating system commands with no authentication required, achieving complete system compromise. The CVSS 9.8 Critical severity reflects the trivial attack vector (network-accessible, no user interaction required) and complete impact on confidentiality, integrity, and availability.

Command Injection
CVE-2025-6433 CRITICAL CVSS 9.8
CVE-2025-6433 is a critical WebAuthn specification violation in Firefox and Thunderbird that allows attackers to present WebAuthn authentication challenges over non-secure TLS connections with user-granted exceptions. This bypasses the WebAuthn requirement for secure transport without errors, enabling credential theft and account compromise. Firefox < 140 and Thunderbird < 140 are affected; the network-based attack requires no privileges or user interaction beyond the initial certificate exception grant, resulting in a CVSS 9.8 critical rating.

Mozilla Authentication Bypass Tls Firefox Thunderbird
CVE-2025-6427 CRITICAL CVSS 9.1
A security vulnerability in Devtools. This vulnerability affects Firefox (CVSS 9.1). Critical severity with potential for significant impact on affected systems.

Mozilla Information Disclosure Firefox Thunderbird Redhat
CVE-2025-6424 CRITICAL CVSS 9.8
A denial of service vulnerability (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

Use After Free Mozilla Denial Of Service Firefox Thunderbird
CVE-2025-4383 CRITICAL CVSS 9.3
A authentication bypass vulnerability in Art-in Bilişim Teknolojileri ve Yazılım Hizm (CVSS 9.3). Critical severity with potential for significant impact on affected systems.

Authentication Bypass Brute Force
CVE-2025-4378 CRITICAL CVSS 10.0
CVE-2025-4378 is a critical authentication vulnerability in Ataturk University's ATA-AOF Mobile Application that combines cleartext transmission of sensitive information with hard-coded credentials, allowing unauthenticated attackers over the network to bypass authentication and abuse user accounts. All versions before 20.06.2025 are affected with a perfect CVSS 3.1 score of 10.0, indicating maximum severity across confidentiality, integrity, and availability dimensions.

Authentication Bypass Information Disclosure
CVE-2025-2566 CRITICAL CVSS 9.3
CVE-2025-2566 is an unsafe Java deserialization vulnerability in Kaleris NAVIS N4 ULC that allows unauthenticated attackers to execute arbitrary code on affected servers through specially crafted requests. The vulnerability affects Kaleris NAVIS N4 Ultra Light Client installations and presents critical risk due to its network-accessible attack vector, lack of authentication requirements, and remote code execution impact. Given the CVSS 9.3 score and unauthenticated attack surface, this should be treated as a priority vulnerability for organizations running affected versions.

Deserialization RCE Java
CVE-2024-56731 CRITICAL CVSS 10.0
CVE-2024-56731 is a critical remote code execution vulnerability in Gogs (self-hosted Git service) versions prior to 0.13.3, where unprivileged users can delete files in the .git directory and achieve arbitrary command execution due to an incomplete patch of CVE-2024-39931. An unauthenticated remote attacker can execute arbitrary commands with the privileges of the RUN_USER account, compromising all code repositories and user data on affected instances. This represents an actively exploitable vulnerability with a perfect CVSS 3.1 score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no privilege requirements, and complete system compromise.

RCE Gogs Suse
CVE-2024-37743 CRITICAL CVSS 9.8
CVE-2024-37743 is a critical remote code execution vulnerability in mmzdev KnowledgeGPT v0.0.5 that allows unauthenticated attackers to execute arbitrary code through a flaw in the Document Display Component. The vulnerability has a CVSS score of 9.8 and CWE-94 classification (improper control of generation of code), indicating unsafe code generation or deserialization. Given the high CVSS and network-accessible attack vector with no authentication requirements, this represents an actively exploitable critical risk to any organization running the affected version.

RCE Knowledgegpt
CVE-2021-41691 CRITICAL CVSS 9.8
A remote code execution vulnerability in OS4Ed Open Source Information System Community (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

PHP SQLi Opensis
CVE-2025-52888 HIGH CVSS 7.5
Allure 2 versions prior to 2.34.1 contain a critical XML External Entity (XXE) injection vulnerability in the xunit-xml-plugin that allows unauthenticated remote attackers to read arbitrary files from the server's filesystem and potentially trigger SSRF attacks. The vulnerability stems from insecure XML parser configuration in the DocumentBuilderFactory and is exploitable by uploading or providing malicious test result XML files without any authentication or user interaction required.

XXE SSRF Information Disclosure Java
CVE-2025-52574 HIGH CVSS 7.5
SysmonElixir versions prior to 1.0.1 contain a path traversal vulnerability in the /read endpoint that allows unauthenticated remote attackers to read arbitrary files from the server, including sensitive system files like /etc/passwd. The vulnerability was patched in version 1.0.1 by implementing a whitelist restricting file reads to the priv/data directory. This is a high-severity information disclosure issue (CVSS 7.5) with no authentication required and network-accessible attack surface.

Path Traversal Information Disclosure Python
CVE-2025-52568 HIGH CVSS 8.8
CVE-2025-52568 is a critical memory safety vulnerability in NeKernal (an open-source OS stack) prior to version 0.0.3 that enables memory corruption, disk image corruption, denial of service, and potential code execution through unchecked memory operations and unsafe typecasting. The vulnerability is remotely exploitable with no authentication or user interaction required (CVSS 8.8, AV:N/AC:L). All users running NeKernal versions before 0.0.3 are affected and should immediately upgrade to the patched version.

RCE Buffer Overflow Denial Of Service Memory Corruption
CVE-2025-52566 HIGH CVSS 8.6
CVE-2025-52566 is a signed vs. unsigned integer overflow vulnerability in llama.cpp's tokenizer (llama_vocab::tokenize function) that enables heap buffer overflow during text tokenization. This affects all versions of llama.cpp prior to b5721, and attackers can trigger the vulnerability with specially crafted text input during the inference process, potentially achieving code execution with high confidentiality, integrity, and availability impact. The vulnerability requires local access and user interaction but has a high CVSS score of 8.6; KEV status and active exploitation data are not currently available, but the patch exists in version b5721.

Buffer Overflow Heap Overflow Integer Overflow Python Llama.Cpp
CVE-2025-52560 HIGH CVSS 8.1
Kanboard prior to version 1.2.46 contains a host header injection vulnerability that allows unauthenticated attackers to craft malicious password reset emails with attacker-controlled URLs when the application_url configuration is unset (default state). If a victim clicks the poisoned reset link, their password reset token is leaked to the attacker's domain, enabling complete account takeover including administrative accounts. This vulnerability requires user interaction (clicking a link) but affects all users initiating password resets on vulnerable instances, making it a practical and high-impact attack vector for account compromise.

Information Disclosure Kanboard
CVE-2025-49852 HIGH CVSS 7.5
ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to make arbitrary requests from the vulnerable server to internal or external systems, potentially exposing sensitive information. The CVSS 7.5 score reflects the high confidentiality impact and network-accessible attack vector, though integrity and availability are not compromised. This vulnerability requires immediate patching as it requires no authentication or user interaction.

SSRF Control Id Idsecure
CVE-2025-48466 HIGH CVSS 8.1
CVE-2025-48466 is a security vulnerability (CVSS 8.1). Risk factors: public PoC available.

Modbus Authentication Bypass IoT Wise 4010lan Firmware Wise 4050lan Firmware
CVE-2025-44531 HIGH CVSS 7.5
CVE-2025-44531 is a Denial of Service vulnerability in Realtek RTL8762E SDK v1.4.0 that allows unauthenticated remote attackers to crash Bluetooth-enabled devices by sending a specially crafted packet before the pairing public key exchange is completed. The vulnerability affects Bluetooth Low Energy (BLE) implementations using the vulnerable SDK version, with a CVSS score of 7.5 indicating high severity. No public exploit code or active exploitation in the wild has been reported at the time of this analysis.

Denial Of Service Rtl8762e Software Development Kit
CVE-2025-41427 HIGH CVSS 8.8
A command injection vulnerability in Connection Diagnostics page (CVSS 8.8). High severity vulnerability requiring prompt remediation.

Command Injection TP-Link RCE Authentication Bypass
CVE-2025-39202 HIGH CVSS 7.3
CVE-2025-39202 is a local privilege escalation vulnerability in MicroSCADA X SYS600's Monitor Pro interface that allows authenticated users with low privileges to read and overwrite arbitrary files, leading to information disclosure and data corruption. The vulnerability affects the SYS600 product line and requires local access with valid credentials; while the CVSS score of 7.3 indicates moderate-to-high severity, real-world exploitability depends on whether this vulnerability has been added to CISA's KEV catalog or has publicly available proof-of-concept code.

Siemens Scada Information Disclosure Path Traversal Microscada X Sys600
CVE-2025-36537 HIGH CVSS 7.0
CVE-2025-36537 is a local privilege escalation vulnerability in TeamViewer Client (Full and Host) and Tensor prior to version 15.67 on Windows that allows an unprivileged local user to delete arbitrary files with SYSTEM privileges by exploiting improper permission assignment in the MSI rollback mechanism. The vulnerability is limited to Remote Management features (Backup, Monitoring, and Patch Management), has a CVSS score of 7.0, and requires local access with medium attack complexity but no user interaction. This vulnerability represents a significant elevation-of-privilege risk for organizations relying on TeamViewer for remote management.

Microsoft Information Disclosure Windows
CVE-2025-34038 HIGH CVSS 7.5
CVE-2025-34038 is an unauthenticated SQL injection vulnerability in Weaver E-cology 8.0's getdata.jsp endpoint that allows attackers to execute arbitrary SQL queries by injecting malicious code through the unsanitized 'sql' parameter in the getSelectAllIds() method. The vulnerability affects Weaver E-cology 8.0 and enables attackers to extract sensitive data including administrator password hashes without authentication. Active exploitation has been observed by Shadowserver Foundation as of 2025-02-05, indicating this is a real and present threat in the wild.

Information Disclosure SQLi E Cology
CVE-2025-34034 HIGH CVSS 8.8
CVE-2025-34034 is a hardcoded credential vulnerability in Blue Angel Software Suite deployed on embedded Linux systems that allows unauthenticated or low-privilege attackers to gain administrative access to the device's web interface through undisclosed default accounts. The vulnerability carries a CVSS score of 8.8 (High) and has been actively exploited in the wild as evidenced by Shadowserver Foundation observations on 2025-01-26 UTC. This is a critical authentication bypass affecting embedded/IoT deployments with significant real-world exploitation risk.

Information Disclosure Blue Angel Software Suite
CVE-2025-34033 HIGH CVSS 8.8
CVE-2025-34033 is an OS command injection vulnerability in Blue Angel Software Suite's webctrl.cgi script that allows authenticated attackers to execute arbitrary commands as root via unsanitized input to the ping_addr parameter. The vulnerability affects embedded Linux devices running the Blue Angel Software Suite, and successful exploitation grants complete system compromise with command output visible in the web interface. Active exploitation was confirmed by Shadowserver Foundation on 2025-01-26, with CVSS 8.8 severity and root-level code execution impact.

Command Injection Blue Angel Software Suite
CVE-2025-32978 HIGH CVSS 7.5
CVE-2025-32978 is an unauthenticated license replacement vulnerability in Quest KACE Systems Management Appliance that allows attackers to replace valid licenses with expired or trial licenses via a web interface, causing denial of service. The vulnerability affects KACE SMA versions 13.0.x through 14.1.x across multiple release branches. This is a network-accessible, zero-privilege exploitation requiring no user interaction, making it a high-impact availability threat to organizations relying on KACE for systems management.

Denial Of Service
CVE-2025-32976 HIGH CVSS 8.8
CVE-2025-32976 is a security vulnerability (CVSS 8.8) that allows authenticated users. High severity vulnerability requiring prompt remediation.

Authentication Bypass Privilege Escalation
CVE-2025-27828 HIGH CVSS 7.1
CVE-2025-27828 is a reflected cross-site scripting (XSS) vulnerability in the legacy chat component of Mitel MiContact Center Business that allows unauthenticated attackers to execute arbitrary scripts in victim browsers through maliciously crafted URLs. The vulnerability affects multiple versions (10.0.0.4 and earlier, 10.1.0.0-10.1.0.5, and 10.2.0.0-10.2.0.4) and requires user interaction to exploit. While the CVSS score of 7.1 is moderate-to-high, the impact is limited to confidentiality and integrity with no availability impact, and exploitation requires social engineering to trick users into clicking malicious links.

XSS
CVE-2025-27827 HIGH CVSS 7.1
CVE-2025-27827 is an information disclosure vulnerability in Mitel MiContact Center Business legacy chat component (versions through 10.2.0.3) that allows unauthenticated attackers to access sensitive chat data and session information through improper session handling. An attacker can exploit this to read active chat messages, join chat rooms without authorization, and send messages as legitimate users, requiring only user interaction to succeed. The CVSS 7.1 score reflects high confidentiality impact with limited integrity risk, though real-world exploitability depends on whether this is actively exploited (KEV status unknown from provided data) and patch availability from Mitel.

Information Disclosure Authentication Bypass
CVE-2025-23265 HIGH CVSS 7.8
CVE-2025-23265 is a code injection vulnerability in NVIDIA Megatron-LM's Python component that allows local attackers with low privileges to execute arbitrary code by providing a malicious file. Successful exploitation enables code execution, privilege escalation, information disclosure, and data tampering. This vulnerability affects all platforms running Megatron-LM and poses significant risk to machine learning infrastructure, particularly in multi-tenant or shared compute environments.

RCE Python Information Disclosure Megatron Lm
CVE-2025-23264 HIGH CVSS 7.8
CVE-2025-23264 is a code injection vulnerability in NVIDIA Megatron-LM's Python component that allows local attackers with limited privileges to execute arbitrary code through malicious file inputs. This vulnerability affects all platforms running Megatron-LM and can lead to complete system compromise including code execution, privilege escalation, information disclosure, and data tampering. The attack requires local access and user interaction is not needed, making it a significant risk for multi-tenant environments and shared compute resources.

RCE Python Information Disclosure Megatron Lm
CVE-2025-6580 HIGH CVSS 7.3
CVE-2025-6580 is a critical SQL injection vulnerability in SourceCodester Best Salon Management System 1.0 affecting the Login component's Username parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing exploitation risk.

SQLi Best Salon Management System
CVE-2025-6579 HIGH CVSS 7.3
CVE-2025-6579 is a critical SQL injection vulnerability in code-projects Car Rental System 1.0 affecting the /message_admin.php file's Message parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available and may be actively exploited in the wild.

PHP SQLi Car Rental System
CVE-2025-6578 HIGH CVSS 7.3
CVE-2025-6578 is a critical SQL injection vulnerability in Simple Online Hotel Reservation System version 1.0 affecting the /admin/delete_account.php file through unsanitized admin_id parameter manipulation. An unauthenticated remote attacker can execute arbitrary SQL queries to read, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk for deployed instances.

PHP SQLi Simple Online Hotel Reservation System
CVE-2025-6568 HIGH CVSS 8.8
A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available.

Buffer Overflow TP-Link RCE Ex1200t Firmware TOTOLINK
CVE-2025-6567 HIGH CVSS 7.3
CVE-2025-6567 is a critical SQL injection vulnerability in Campcodes Online Recruitment Management System version 1.0, specifically in the Recruitment/admin/view_application.php file where the ID parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of recruitment records. The vulnerability has been publicly disclosed with proof-of-concept code available, and exploitation requires no special privileges or user interaction.

PHP SQLi Online Recruitment Management System
CVE-2025-6565 HIGH CVSS 8.8
CVE-2025-6565 is a critical stack-based buffer overflow vulnerability in Netgear WNCE3001 v1.0.0.50 affecting the HTTP POST request handler's Host parameter processing. An authenticated attacker can remotely exploit this to achieve complete system compromise including confidentiality, integrity, and availability violations. Public exploitation code exists, elevating immediate risk.

Buffer Overflow Netgear Remote Code Execution
CVE-2025-6436 HIGH CVSS 8.1
CVE-2025-6436 is a collection of memory safety vulnerabilities in Firefox and Thunderbird versions 139 that demonstrate evidence of memory corruption with potential for arbitrary code execution. The vulnerability affects Firefox < 140 and Thunderbird < 140, and requires network access but moderate attack complexity. While no active exploitation in the wild has been confirmed, the high CVSS score of 8.1 and memory corruption evidence indicate this is a critical patch requiring immediate deployment.

RCE Mozilla Memory Corruption Thunderbird Firefox
CVE-2025-6435 HIGH CVSS 8.1
CVE-2025-6435 is a file handling vulnerability in Firefox and Thunderbird's Developer Tools where saved network responses may lack the `.download` file extension, potentially allowing attackers to trick users into executing malicious executables. This affects Firefox versions below 140 and Thunderbird versions below 140. The vulnerability requires user interaction (saving and executing a file) but carries high severity (CVSS 8.1) due to potential for arbitrary code execution.

Mozilla RCE Firefox Thunderbird Redhat
CVE-2025-6432 HIGH CVSS 8.6
CVE-2025-6432 is a DNS proxy bypass vulnerability in Firefox and Thunderbird when Mozilla's Multi-Account Containers extension is enabled. Under specific conditions-invalid domain names or unresponsive SOCKS proxies-DNS requests circumvent the configured SOCKS proxy, potentially exposing user browsing activity to network monitoring. This affects Firefox < 140 and Thunderbird < 140, has a high CVSS score of 8.6 reflecting significant confidentiality impact, and requires network-level access but no user interaction to exploit.

Information Disclosure Mozilla Dns Firefox Thunderbird
CVE-2025-6426 HIGH CVSS 8.8
CVE-2025-6426 is a missing executable file warning vulnerability in Firefox and Thunderbird on macOS that fails to alert users before opening files with the 'terminal' extension, potentially allowing attackers to execute arbitrary code. This affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12 on macOS only. An attacker can leverage this to trick users into executing malicious terminal scripts by bypassing the security warning mechanism that normally prevents automatic execution of executable files.

Information Disclosure Mozilla macOS Firefox Thunderbird
CVE-2025-6206 HIGH CVSS 7.5
The Aiomatic WordPress plugin (versions ≤2.5.0) contains an arbitrary file upload vulnerability in the 'aiomatic_image_editor_ajax_submit' AJAX function due to missing file type validation, allowing authenticated Subscriber-level users to upload malicious files and potentially achieve remote code execution. Exploitation requires a valid (though arbitrary) Stability.AI API key to be configured. This is a high-impact vulnerability affecting WordPress sites using this plugin, with CVSS 7.5 reflecting the combination of high confidentiality/integrity/authentication bypass risk despite high attack complexity.

WordPress RCE Aiomatic PHP
CVE-2025-6032 HIGH CVSS 8.3
CVE-2025-6032 is a TLS certificate validation bypass in Podman's machine init command that fails to verify certificates when downloading VM images from OCI registries, enabling Man-in-the-Middle (MITM) attacks. This affects users running Podman machine initialization on networked systems where attackers can intercept traffic. While the CVSS score of 8.3 indicates high severity with potential for confidentiality, integrity, and availability impact, real-world exploitation requires specific network positioning (AC:H - high attack complexity) and user interaction (UI:R), suggesting moderate practical risk despite the high base score.

Information Disclosure Redhat Suse
CVE-2025-5318 HIGH CVSS 8.1
CVE-2025-5318 is an out-of-bounds read vulnerability in libssh versions before 0.11.2 caused by an incorrect comparison check in the sftp_handle function that allows authenticated remote attackers to access memory beyond the valid handle list and retrieve invalid pointers for further processing. This vulnerability enables exposure of sensitive information or denial of service, with a CVSS score of 8.1 indicating high severity. The vulnerability requires authentication and network access but has high confidentiality and availability impact.

Buffer Overflow Enterprise Linux Openshift Container Platform Libssh Redhat
CVE-2025-3092 HIGH CVSS 7.5
CVE-2025-3092 is an unauthenticated user enumeration vulnerability affecting an unprotected endpoint that allows remote attackers to discover valid usernames without authentication or user interaction. The vulnerability has a CVSS score of 7.5 (High) with a vector indicating network-based attack with low complexity and no privileges required, resulting in high confidentiality impact. While the description does not specify affected product versions, CPE strings, or KEV/EPSS data, the high CVSS and information disclosure nature suggest this requires urgent patching in affected systems where user enumeration could enable follow-up attacks like credential brute-forcing or targeted social engineering.

Information Disclosure
CVE-2025-3091 HIGH CVSS 7.5
CVE-2025-3091 is an authentication bypass vulnerability allowing a low-privileged remote attacker to hijack another user's account by possessing only that user's second factor (2FA), completely bypassing password authentication. This affects multi-factor authentication implementations where the second factor can be used independently to establish a session. The vulnerability has a CVSS score of 7.5 (High) with moderate attack complexity, and represents a critical weakness in MFA architecture since attackers need only compromise one authentication factor rather than all factors.

Authentication Bypass
CVE-2025-3090 HIGH CVSS 8.2
CVE-2025-3090 is a critical authentication bypass vulnerability affecting network devices that exposes a missing authentication requirement for sensitive functions. The vulnerability allows unauthenticated remote attackers to obtain limited sensitive information and trigger denial-of-service conditions without requiring any user interaction or special privileges. If actively exploited (KEV status pending confirmation), this represents an immediate threat to exposed devices as the attack vector is network-based with low complexity.

Authentication Bypass Denial Of Service Information Disclosure
CVE-2025-2962 HIGH CVSS 7.5
CVE-2025-2962 is a denial-of-service vulnerability in a DNS implementation that triggers an infinite loop condition, allowing unauthenticated remote attackers to crash DNS services with high availability impact. The vulnerability affects DNS resolver implementations and has a CVSS score of 7.5 (High) with a network-based attack vector requiring no privileges or user interaction. While the CVE ID and basic metadata are provided, specific product names, versions, KEV status, EPSS scores, and public proof-of-concept availability cannot be confirmed from the limited data supplied.

Denial Of Service Dns Zephyr
CVE-2025-2403 HIGH CVSS 7.5
CVE-2025-2403 is a network-based denial-of-service vulnerability affecting ABB Relion 670/650 and SAM600-IO series devices, caused by improper prioritization of network traffic over protection mechanisms. An unauthenticated attacker can remotely trigger this vulnerability to malfunction critical functions such as the Line Distance Communication Module (LDCM), potentially causing service disruption in power distribution systems. With a CVSS score of 7.5 and network-accessible attack vector, this represents a significant threat to industrial control systems, particularly in electrical grid infrastructure.

Information Disclosure
CVE-2024-56917 HIGH CVSS 7.1
A cross-site scripting vulnerability in Netbox Community 4.1.7 (CVSS 7.1). Risk factors: public PoC available.

XSS Netbox
CVE-2025-53073 MEDIUM CVSS 4.2
A security vulnerability in Sentry 25.1.0 (CVSS 4.2). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2025-53021 MEDIUM CVSS 4.2
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Information Disclosure Ubuntu Debian Moodle
CVE-2025-52883 MEDIUM CVSS 5.3
A security vulnerability in Meshtastic-Android (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Google Information Disclosure Android
CVE-2025-52880 MEDIUM CVSS 4.2
Komga is a media server for comics, mangas, BDs, magazines and eBooks. A Cross-Site Scripting (XSS) vulnerability has been discovered in versions 1.8.0 through 1.21.3 when serving EPUB resources, either directly from the API, or when reading using the epub reader. The vulnerability lets an attacker perform actions on the victim's behalf. When targeting an admin user, this can be combined with controlling a server-side command to achieve arbitrary code execution. For this vulnerability to be exploited, a malicious EPUB file has to be present in a Komga library, and subsequently accessed in the Epub reader by an admin user. Version 1.22.0 contains a patch for the issue.

RCE XSS
CVE-2025-50699 MEDIUM CVSS 6.1
PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Cross Site Scripting (XSS) in odms/admin/view-user-queries.php.

PHP XSS Online Dj Booking Management System
CVE-2025-50695 MEDIUM CVSS 6.1
PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Cross Site Scripting (XSS) in /admin/view-booking-detail.php and /admin/invoice-generating.php.

PHP XSS Online Dj Booking Management System
CVE-2025-50693 MEDIUM CVSS 6.5
PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Insecure Direct Object Reference (IDOR) in odms/request-details.php.

PHP Authentication Bypass Online Dj Booking Management System
CVE-2025-49147 MEDIUM CVSS 5.3
A remote code execution vulnerability in versions 10.0.0 (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Umbraco Cms
CVE-2025-48470 MEDIUM CVSS 4.1
Successful exploitation of the stored cross-site scripting vulnerability could allow an attacker to inject malicious scripts into device fields and executed in other users’ browser, potentially leading to session hijacking, defacement, credential theft, or privilege escalation.

XSS Privilege Escalation Wise 4060lan Firmware Wise 4010lan Firmware Wise 4050lan Firmware
CVE-2025-48468 MEDIUM CVSS 6.4
A security vulnerability in Successful exploitation of the vulnerability could allow an attacker that (CVSS 6.4) that allows an attacker that has physical access. Remediation should follow standard vulnerability management procedures.

Code Injection Wise 4010lan Firmware Wise 4060lan Firmware Wise 4050lan Firmware
CVE-2025-48467 MEDIUM CVSS 6.5
Successful exploitation of the vulnerability could allow an attacker to cause repeated reboots, potentially leading to remote denial-of-service and system unavailability.

Denial Of Service Wise 4050lan Firmware Wise 4060lan Firmware Wise 4010lan Firmware
CVE-2025-48462 MEDIUM CVSS 4.2
Successful exploitation of the vulnerability could allow an attacker to consume all available session slots and block other users from logging in, thereby preventing legitimate users from gaining access to the product.

Denial Of Service Wise 4060lan Firmware Wise 4010lan Firmware Wise 4050lan Firmware
CVE-2025-48461 MEDIUM CVSS 5.0
A remote code execution vulnerability (CVSS 5.0) that allows an unauthenticated attacker. Remediation should follow standard vulnerability management procedures.

Information Disclosure Wise 4050lan Firmware Wise 4060lan Firmware Wise 4010lan Firmware
CVE-2025-47943 MEDIUM CVSS 6.3
Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/. This issue has been fixed for gogs.io/gogs in version 0.13.3.

RCE XSS Suse
CVE-2025-43877 MEDIUM CVSS 5.4
WRC-1167GHBK2-S contains a stored cross-site scripting vulnerability in WebGUI. If exploited, an arbitrary script may be executed on the web browser of the user who accessed WebGUI of the product.

XSS
CVE-2025-39205 MEDIUM CVSS 6.5
A vulnerability exists in the IEC 61850 in MicroSCADA X SYS600 product. The certificate validation of the TLS protocol allows remote Man-in-the-Middle attack due to missing proper validation.

Information Disclosure Microscada X Sys600
CVE-2025-39204 MEDIUM CVSS 6.5
A vulnerability exists in the Web interface of the MicroSCADA X SYS600 product. The filtering query in the Web interface can be malformed, so returning data can leak unauthorized information to the user.

Information Disclosure Microscada X Sys600
CVE-2025-39203 MEDIUM CVSS 6.5
A vulnerability exists in the IEC 61850 of the MicroSCADA X SYS600 product. An IEC 61850-8 crafted message content from IED or remote system can cause a denial of service resulting in disconnection loop.

Denial Of Service Microscada X Sys600
CVE-2025-39201 MEDIUM CVSS 6.1
A vulnerability exists in MicroSCADA X SYS600 product. If exploited this could allow a local unauthenticated attacker to tamper a system file, making denial of Notify service.

Privilege Escalation Microscada X Sys600
CVE-2025-36519 MEDIUM CVSS 4.3
Unrestricted upload of file with dangerous type issue exists in WRC-2533GST2, WRC-1167GST2, WRC-2533GST2, WRC-2533GS2V-B,WRC-2533GS2-B v1.69 and earlier, WRC-2533GS2-W, WRC-1167GST2, WRC-1167GS2-B, and WRC-1167GS2H-B. If a specially crafted file is uploaded by a remote authenticated attacker, arbitrary code may be executed on the product.

File Upload RCE
CVE-2025-34032 MEDIUM CVSS 6.1
A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.

PHP XSS Jmol Moodle
CVE-2025-23260 MEDIUM CVSS 5.0
NVIDIA AIStore contains a vulnerability in the AIS Operator where a user may gain elevated k8s cluster access by using the ServiceAccount attached to the ClusterRole. A successful exploit of this vulnerability may lead to information disclosure.

Information Disclosure Kubernetes Aistore
CVE-2025-6581 MEDIUM CVSS 6.3
A vulnerability classified as critical was found in SourceCodester Best Salon Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-customer.php. The manipulation of the argument name/email/mobilenum/gender/details/dob/marriage_date leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Best Salon Management System
CVE-2025-6570 MEDIUM CVSS 6.3
A vulnerability, which was classified as critical, has been found in PHPGurukul Hospital Management System 4.0. Affected by this issue is some unknown functionality of the file /doctor/search.php. The manipulation of the argument searchdata leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Hospital Management System
CVE-2025-6569 MEDIUM CVSS 4.3
A vulnerability classified as problematic was found in code-projects School Fees Payment System 1.0. Affected by this vulnerability is an unknown functionality of the file /student.php. The manipulation of the argument sname/contact/about/emailid/transcation_remark leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP XSS School Fees Payment System
CVE-2025-6566 MEDIUM CVSS 5.3
A vulnerability was found in oatpp Oat++ up to 1.3.1. It has been declared as critical. This vulnerability affects the function deserializeArray of the file src/oatpp/json/Deserializer.cpp. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Buffer Overflow
CVE-2025-6557 MEDIUM CVSS 5.4
Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Microsoft Google XSS RCE Ubuntu
CVE-2025-6556 MEDIUM CVSS 5.4
A remote code execution vulnerability in Loader in Google Chrome (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

Google Authentication Bypass Ubuntu Debian Chrome
CVE-2025-6555 MEDIUM CVSS 5.4
Use after free in Animation in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Google Use After Free Memory Corruption Denial Of Service Ubuntu
CVE-2025-6552 MEDIUM CVSS 4.3
A vulnerability was found in java-aodeng Hope-Boot 1.0.0. It has been classified as problematic. Affected is the function doLogin of the file /src/main/java/com/hope/controller/WebController.java of the component Login. The manipulation of the argument redirect_url leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Java Open Redirect
CVE-2025-6535 MEDIUM CVSS 6.3
A vulnerability has been found in xxyopen/201206030 novel-plus up to 5.1.3 and classified as critical. This vulnerability affects the function list of the file novel-admin/src/main/resources/mybatis/system/UserMapper.xml of the component User Management Module. The manipulation of the argument sort/order leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

SQLi Novel Plus
CVE-2025-6534 MEDIUM CVSS 4.2
A remote code execution vulnerability in xxyopen/201206030 novel-plus (CVSS 4.2). Risk factors: public PoC available.

Information Disclosure Java Novel Plus
CVE-2025-6533 MEDIUM CVSS 5.6
A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java of the component CATCHA Handler. The manipulation leads to authentication bypass by capture-replay. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Java Authentication Bypass Novel Plus
CVE-2025-6532 MEDIUM CVSS 4.3
A security vulnerability in NOYAFA/Xiami LF9 Pro (CVSS 4.3). Risk factors: public PoC available.

Information Disclosure Lf9 Pro Firmware
CVE-2025-6531 MEDIUM CVSS 4.3
A security vulnerability in SIFUSM/MZZYG BD S1 (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-6434 MEDIUM CVSS 4.3
The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140 and Thunderbird < 140.

XSS Mozilla Ubuntu Debian Firefox
CVE-2025-6431 MEDIUM CVSS 6.5
When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140.

Mozilla Google Authentication Bypass Ubuntu Debian
CVE-2025-6430 MEDIUM CVSS 6.1
When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

XSS Mozilla Ubuntu Debian Firefox
CVE-2025-6429 MEDIUM CVSS 6.5
Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

Authentication Bypass Mozilla Ubuntu Debian Firefox
CVE-2025-6428 MEDIUM CVSS 4.3
When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140.

Google Mozilla Open Redirect Ubuntu Debian
CVE-2025-6425 MEDIUM CVSS 4.3
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

Information Disclosure Mozilla Ubuntu Debian Firefox
CVE-2025-5258 MEDIUM CVSS 6.4
The Conference Scheduler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
CVE-2025-5087 MEDIUM CVSS 6.0
Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely using zlib-compressed data over HTTP. An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials.

Information Disclosure
CVE-2025-1718 MEDIUM CVSS 6.5
CVE-2025-1718 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2024-56918 MEDIUM CVSS 6.1
In Netbox Community 4.1.7, the login page is vulnerable to cross-site scripting (XSS), which allows a privileged, authenticated attacker to exfiltrate user input from the login form.

XSS Debian Netbox
CVE-2024-56916 MEDIUM CVSS 6.1
In Netbox Community 4.1.7, once authenticated, Configuration History > Add`is vulnerable to cross-site scripting (XSS) due to the `current value` field rendering user supplied html. An authenticated attacker can leverage this to add malicious JavaScript to the any banner field. Once a victim edits a Configuration History version or attempts to Add a new version, the XSS payload will trigger.

XSS Debian Netbox
CVE-2025-52979 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-52978 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-52977 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-52976 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-52975 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-52974 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-52973 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-52972 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-52971 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-52884 LOW CVSS 1.7
A security vulnerability in RISC Zero (CVSS 1.7). Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-52882 None
Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable. In VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors. Claude released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when a user launch it and auto-updates the extensions, users should take the following steps, though the exact steps depend on one's integrated development environment (IDE). For VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks, check the extension Claude Code for VSCode. Open the list of Extensions (View->Extensions), look for Claude Code for VSCode among installed extensions, update or uninstall any version prior to 1.0.24, and restart the IDE. For JetBrains IDEs including IntelliJ, PyCharm, and Android Studio, check the plugin Claude Code [Beta]. Open the Plugins list, look for Claude Code [Beta] among installed extensions, update or uninstall any version prior to 0.1.9, and restart the IDE.

Google RCE Android
CVE-2025-52570 None
Letmein is an authenticating port knocker. Prior to version 10.2.1, The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services letmeind and letmeinfwd. Therefore, the command line option num-connections is not effective and does not limit the number of simultaneously incoming connections. This issue has been patched in version 10.2.1.

Denial Of Service
CVE-2025-48463 LOW CVSS 3.1
Successful exploitation of the vulnerability could allow an attacker to intercept data and conduct session hijacking on the exposed data as the vulnerable product uses unencrypted HTTP communication, potentially leading to unauthorised access or data tampering.

Information Disclosure
CVE-2025-6551 LOW CVSS 3.5
A vulnerability was found in java-aodeng Hope-Boot 1.0.0 and classified as problematic. This issue affects the function Login of the file /src/main/java/com/hope/controller/WebController.java. The manipulation of the argument errorMsg leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS Java
CVE-2025-6536 LOW CVSS 3.3
A vulnerability has been found in Tarantool up to 3.3.1 and classified as problematic. Affected by this vulnerability is the function tm_to_datetime in the library src/lib/core/datetime.c. The manipulation leads to reachable assertion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.

Denial Of Service Ubuntu Debian

Today's Vulnerabilities Vulnerabilities