Skip to main content
CVE-2025-34037 CRITICAL POC PATCH THREAT Act Now

Multiple Linksys E-Series router models contain an unauthenticated OS command injection vulnerability in the /tmUnblock.cgi and /hndUnblock.cgi endpoints accessible on port 8080. The ttcp_ip parameter is passed directly to a system shell without sanitization, enabling remote root-level command execution on the router.

RCE Command Injection
NVD Exploit-DB VulDB
CVSS 4.0
10.0
EPSS
81.5%
Threat
5.9
CVE-2025-32975 CRITICAL POC KEV THREAT Emergency

Authentication bypass in Quest KACE Systems Management Appliance allows remote unauthenticated attackers to impersonate any user and achieve complete administrative takeover via SSO mechanism flaws. Confirmed actively exploited (CISA KEV) with publicly available exploit code. Affects versions 13.0.x through 14.1.x across five major release branches. CVSS 10.0 (critical) with changed scope indicates full system compromise. EPSS score of 0.16% appears artificially low given confirmed active exploitation, suggesting targeted attacks rather than widespread scanning.

Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.2%
Threat
5.0
CVE-2025-34036 CRITICAL POC THREAT Emergency

White-labeled DVRs manufactured by TVT contain an unauthenticated OS command injection in the 'Cross Web Server' HTTP service on ports 81/82. The URI path handling for language extraction fails to sanitize input, enabling remote attackers to execute arbitrary commands on the surveillance DVR.

Command Injection RCE Authentication Bypass Td 2932td Hp Firmware Td 2108ts Cl Firmware +28
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
10.9%
CVE-2025-34035 CRITICAL POC Act Now

CVE-2025-34035 is a critical OS command injection vulnerability in EnGenius EnShare Cloud Service versions 1.4.11 and earlier, affecting the usbinteract.cgi script which fails to sanitize the 'path' parameter. Unauthenticated remote attackers can inject arbitrary shell commands executed with root privileges, resulting in complete system compromise. Active exploitation has been documented by the Shadowserver Foundation as of 2024-12-05, indicating real-world threat activity.

Command Injection Esr900 Firmware Esr1200 Firmware Esr350 Firmware Esr300 Firmware +3
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
7.6%
CVE-2025-34040 CRITICAL POC Act Now

An arbitrary file upload vulnerability exists in the Zhiyuan OA platform via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-01 UTC.

File Upload RCE Path Traversal
NVD Exploit-DB VulDB
CVSS 4.0
10.0
EPSS
3.8%
CVE-2021-41691 CRITICAL POC Act Now

A remote code execution vulnerability in OS4Ed Open Source Information System Community (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

PHP SQLi Opensis
NVD GitHub
CVSS 3.1
9.8
EPSS
2.4%
CVE-2025-34031 HIGH POC THREAT Act Now

The Moodle LMS Jmol plugin version 6.1 and earlier contains a path traversal vulnerability in jsmol.php. The query parameter is passed directly to file_get_contents() without validation, allowing unauthenticated attackers to read arbitrary files from the Moodle server including configuration files with database credentials.

PHP Path Traversal Moodle Information Disclosure Jmol
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
12.2%
CVE-2025-48469 CRITICAL POC Act Now

A privilege escalation vulnerability (CVSS 9.6) that allows an unauthenticated attacker. Risk factors: public PoC available.

Privilege Escalation Authentication Bypass RCE Wise 4060lan Firmware Wise 4010lan Firmware +1
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-34033 HIGH POC This Week

CVE-2025-34033 is an OS command injection vulnerability in Blue Angel Software Suite's webctrl.cgi script that allows authenticated attackers to execute arbitrary commands as root via unsanitized input to the ping_addr parameter. The vulnerability affects embedded Linux devices running the Blue Angel Software Suite, and successful exploitation grants complete system compromise with command output visible in the web interface. Active exploitation was confirmed by Shadowserver Foundation on 2025-01-26, with CVSS 8.8 severity and root-level code execution impact.

Command Injection Blue Angel Software Suite
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-6568 HIGH POC This Week

A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available.

Buffer Overflow TP-Link RCE Ex1200t Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-6565 HIGH POC This Week

CVE-2025-6565 is a critical stack-based buffer overflow vulnerability in Netgear WNCE3001 v1.0.0.50 affecting the HTTP POST request handler's Host parameter processing. An authenticated attacker can remotely exploit this to achieve complete system compromise including confidentiality, integrity, and availability violations. Public exploitation code exists, elevating immediate risk.

Buffer Overflow Netgear RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-34034 HIGH POC This Week

CVE-2025-34034 is a hardcoded credential vulnerability in Blue Angel Software Suite deployed on embedded Linux systems that allows unauthenticated or low-privilege attackers to gain administrative access to the device's web interface through undisclosed default accounts. The vulnerability carries a CVSS score of 8.8 (High) and has been actively exploited in the wild as evidenced by Shadowserver Foundation observations on 2025-01-26 UTC. This is a critical authentication bypass affecting embedded/IoT deployments with significant real-world exploitation risk.

Information Disclosure Blue Angel Software Suite
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-52566 HIGH POC PATCH This Week

CVE-2025-52566 is a signed vs. unsigned integer overflow vulnerability in llama.cpp's tokenizer (llama_vocab::tokenize function) that enables heap buffer overflow during text tokenization. This affects all versions of llama.cpp prior to b5721, and attackers can trigger the vulnerability with specially crafted text input during the inference process, potentially achieving code execution with high confidentiality, integrity, and availability impact. The vulnerability requires local access and user interaction but has a high CVSS score of 8.6; KEV status and active exploitation data are not currently available, but the patch exists in version b5721.

Buffer Overflow Heap Overflow Integer Overflow Python Llama.Cpp +1
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-34038 HIGH POC This Week

CVE-2025-34038 is an unauthenticated SQL injection vulnerability in Weaver E-cology 8.0's getdata.jsp endpoint that allows attackers to execute arbitrary SQL queries by injecting malicious code through the unsanitized 'sql' parameter in the getSelectAllIds() method. The vulnerability affects Weaver E-cology 8.0 and enables attackers to extract sensitive data including administrator password hashes without authentication. Active exploitation has been observed by Shadowserver Foundation as of 2025-02-05, indicating this is a real and present threat in the wild.

Information Disclosure SQLi E Cology
NVD
CVSS 3.1
7.5
EPSS
3.9%
CVE-2025-48466 HIGH POC This Week

CVE-2025-48466 is a security vulnerability (CVSS 8.1). Risk factors: public PoC available.

Modbus Authentication Bypass IoT Wise 4010lan Firmware Wise 4050lan Firmware +1
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-52560 HIGH POC PATCH This Week

Kanboard prior to version 1.2.46 contains a host header injection vulnerability that allows unauthenticated attackers to craft malicious password reset emails with attacker-controlled URLs when the application_url configuration is unset (default state). If a victim clicks the poisoned reset link, their password reset token is leaked to the attacker's domain, enabling complete account takeover including administrative accounts. This vulnerability requires user interaction (clicking a link) but affects all users initiating password resets on vulnerable instances, making it a practical and high-impact attack vector for account compromise.

Information Disclosure Kanboard
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-44531 HIGH POC This Week

CVE-2025-44531 is a Denial of Service vulnerability in Realtek RTL8762E SDK v1.4.0 that allows unauthenticated remote attackers to crash Bluetooth-enabled devices by sending a specially crafted packet before the pairing public key exchange is completed. The vulnerability affects Bluetooth Low Energy (BLE) implementations using the vulnerable SDK version, with a CVSS score of 7.5 indicating high severity. No public exploit code or active exploitation in the wild has been reported at the time of this analysis.

Denial Of Service Rtl8762e Software Development Kit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-2962 HIGH POC This Week

CVE-2025-2962 is a denial-of-service vulnerability in a DNS implementation that triggers an infinite loop condition, allowing unauthenticated remote attackers to crash DNS services with high availability impact. The vulnerability affects DNS resolver implementations and has a CVSS score of 7.5 (High) with a network-based attack vector requiring no privileges or user interaction. While the CVE ID and basic metadata are provided, specific product names, versions, KEV status, EPSS scores, and public proof-of-concept availability cannot be confirmed from the limited data supplied.

Denial Of Service DNS Zephyr
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-56917 HIGH POC This Week

A cross-site scripting vulnerability in Netbox Community 4.1.7 (CVSS 7.1). Risk factors: public PoC available.

XSS Netbox
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-50693 MEDIUM POC This Month

PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Insecure Direct Object Reference (IDOR) in odms/request-details.php.

PHP Authentication Bypass Online Dj Booking Management System
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-34041 CRITICAL Act Now

An OS command injection vulnerability exists in the Chinese versions of Sangfor Endpoint Detection and Response (EDR) management platform versions 3.2.16, 3.2.17, and 3.2.19. The vulnerability allows unauthenticated attackers to construct and send malicious HTTP requests to the EDR Manager interface, leading to arbitrary command execution with elevated privileges. This flaw only affects the Chinese-language EDR builds. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

Command Injection
NVD
CVSS 4.0
10.0
EPSS
2.3%
CVE-2024-56731 CRITICAL PATCH Act Now

CVE-2024-56731 is a critical remote code execution vulnerability in Gogs (self-hosted Git service) versions prior to 0.13.3, where unprivileged users can delete files in the .git directory and achieve arbitrary command execution due to an incomplete patch of CVE-2024-39931. An unauthenticated remote attacker can execute arbitrary commands with the privileges of the RUN_USER account, compromising all code repositories and user data on affected instances. This represents an actively exploitable vulnerability with a perfect CVSS 3.1 score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no privilege requirements, and complete system compromise.

RCE Gogs Suse
NVD GitHub
CVSS 3.1
10.0
EPSS
1.0%
CVE-2025-52572 CRITICAL Act Now

CVE-2025-52572 is a critical remote code execution vulnerability in Hikka, a Telegram userbot, affecting all versions across all platforms. The vulnerability exists in two exploitation paths: an unauthenticated web interface allowing direct RCE via attacker-controlled Telegram accounts, and an authenticated interface where insufficient UI warnings trick users into granting dangerous permissions, enabling both RCE and Telegram account compromise. Scenario 2 has been actively exploited in the wild, with a CVSS 10.0 score reflecting network-accessible unauthenticated attack paths and complete system compromise potential.

RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.6%
CVE-2025-34032 MEDIUM POC This Month

A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.

PHP XSS Jmol Moodle
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-56918 MEDIUM POC This Month

In Netbox Community 4.1.7, the login page is vulnerable to cross-site scripting (XSS), which allows a privileged, authenticated attacker to exfiltrate user input from the login form.

XSS Debian Netbox
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-56916 MEDIUM POC This Month

In Netbox Community 4.1.7, once authenticated, Configuration History > Add`is vulnerable to cross-site scripting (XSS) due to the `current value` field rendering user supplied html. An authenticated attacker can leverage this to add malicious JavaScript to the any banner field. Once a victim edits a Configuration History version or attempts to Add a new version, the XSS payload will trigger.

XSS Debian Netbox
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-50699 MEDIUM POC This Month

PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Cross Site Scripting (XSS) in odms/admin/view-user-queries.php.

PHP XSS Online Dj Booking Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-50695 MEDIUM POC This Month

PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Cross Site Scripting (XSS) in /admin/view-booking-detail.php and /admin/invoice-generating.php.

PHP XSS Online Dj Booking Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-34039 CRITICAL POC Act Now

A code injection vulnerability exists in Yonyou UFIDA NC v6.5 and prior due to the exposure of the BeanShell testing servlet (bsh.servlet.BshServlet) without proper access controls. The servlet allows unauthenticated remote attackers to execute arbitrary Java code via the bsh.script parameter. This can be exploited to run system commands and ultimately gain full control over the target server. The issue is rooted in a third-party JAR component bundled with the application, and the servlet is accessible without authentication on vulnerable installations. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

Java Authentication Bypass
NVD
CVSS 4.0
10.0
EPSS
0.3%
CVE-2025-4378 CRITICAL PATCH Act Now

CVE-2025-4378 is a critical authentication vulnerability in Ataturk University's ATA-AOF Mobile Application that combines cleartext transmission of sensitive information with hard-coded credentials, allowing unauthenticated attackers over the network to bypass authentication and abuse user accounts. All versions before 20.06.2025 are affected with a perfect CVSS 3.1 score of 10.0, indicating maximum severity across confidentiality, integrity, and availability dimensions.

Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2024-37743 CRITICAL Act Now

CVE-2024-37743 is a critical remote code execution vulnerability in mmzdev KnowledgeGPT v0.0.5 that allows unauthenticated attackers to execute arbitrary code through a flaw in the Document Display Component. The vulnerability has a CVSS score of 9.8 and CWE-94 classification (improper control of generation of code), indicating unsafe code generation or deserialization. Given the high CVSS and network-accessible attack vector with no authentication requirements, this represents an actively exploitable critical risk to any organization running the affected version.

RCE Knowledgegpt
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-52471 CRITICAL PATCH Act Now

A security vulnerability in the ESP-NOW protocol implementation within the ESP Wi-Fi component of (CVSS 9.8). Critical severity with potential for significant impact on affected systems. Vendor patch is available.

RCE Esp Idf
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-6559 CRITICAL Act Now

CVE-2025-6559 is an unauthenticated OS Command Injection vulnerability affecting multiple Sapido wireless router models that are out of support. Remote attackers can inject and execute arbitrary operating system commands with no authentication required, achieving complete system compromise. The CVSS 9.8 Critical severity reflects the trivial attack vector (network-accessible, no user interaction required) and complete impact on confidentiality, integrity, and availability.

Command Injection
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-48890 CRITICAL Act Now

CVE-2025-48890 is a critical OS command injection vulnerability in the miniigd SOAP service affecting WRH-733GBK and WRH-733GWH network storage devices. Remote unauthenticated attackers can execute arbitrary OS commands by sending specially crafted requests, achieving complete system compromise (CVSS 9.8). With an attack vector of Network/Low complexity/No privileges required, this vulnerability poses immediate risk to exposed devices.

Command Injection RCE IoT Netgear
NVD
CVSS 3.0
9.8
EPSS
0.4%
CVE-2025-43879 CRITICAL Act Now

CVE-2025-43879 is a critical OS command injection vulnerability in Whirlpool refrigerator models WRH-733GBK and WRH-733GWH that allows unauthenticated remote attackers to execute arbitrary operating system commands via the telnet function. With a CVSS 9.8 score and network-accessible attack vector requiring no authentication or user interaction, this vulnerability poses immediate risk to any connected affected appliance. The vulnerability's presence in IoT/appliance firmware suggests potential for botnet recruitment, lateral network movement, or data exfiltration from vulnerable devices.

Command Injection
NVD
CVSS 3.0
9.8
EPSS
0.4%
CVE-2025-6424 CRITICAL PATCH Act Now

A denial of service vulnerability (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

Use After Free Mozilla Denial Of Service Memory Corruption
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-6560 CRITICAL Act Now

CVE-2025-6560 is a critical authentication bypass vulnerability affecting multiple Sapido wireless router models, where unauthenticated remote attackers can directly access system configuration files containing plaintext administrator credentials. The affected models are end-of-life products with no vendor patches available; this vulnerability carries a CVSS 9.8 rating and likely has exploitation activity given the simplicity of the attack vector and lack of defensive complexity. Immediate device replacement is the only viable remediation.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-50213 CRITICAL PATCH Act Now

Apache Airflow Providers Snowflake versions before 6.4.0 contain a Special Element Injection vulnerability (CWE-75) in the CopyFromExternalStageToSnowflakeOperator that fails to properly sanitize table and stage parameters, allowing unauthenticated attackers to execute arbitrary SQL injection attacks with complete system compromise (CVSS 9.8). This is a critical remote vulnerability requiring network access only, with no authentication or user interaction needed, making it a high-priority patch regardless of KEV/EPSS status.

Apache SQLi Python Apache Airflow Providers Snowflake
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-49851 CRITICAL Act Now

ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain an improper authentication vulnerability (CWE-287) that allows unauthenticated network attackers to completely bypass authentication mechanisms and gain unauthorized permissions within the application. With a CVSS 9.8 score reflecting network-accessible, low-complexity exploitation requiring no user interaction or privileges, this represents a critical remote authentication bypass affecting all confidentiality, integrity, and availability of the system. The vulnerability's presence in a widely-deployed identity and access control product makes this a high-priority threat requiring immediate patching.

Authentication Bypass Control Id Idsecure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-6433 CRITICAL PATCH Act Now

CVE-2025-6433 is a critical WebAuthn specification violation in Firefox and Thunderbird that allows attackers to present WebAuthn authentication challenges over non-secure TLS connections with user-granted exceptions. This bypasses the WebAuthn requirement for secure transport without errors, enabling credential theft and account compromise. Firefox < 140 and Thunderbird < 140 are affected; the network-based attack requires no privileges or user interaction beyond the initial certificate exception grant, resulting in a CVSS 9.8 critical rating.

Mozilla Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-52571 CRITICAL PATCH Act Now

CVE-2025-52571 is a critical authentication bypass vulnerability in Hikka Telegram userbot affecting versions below 1.6.2 that allows unauthenticated attackers to gain unauthorized access to victims' Telegram accounts and full server control. The vulnerability has a CVSS score of 9.6 (Critical) with network-based exploitation requiring only user interaction; patch version 1.6.2 is available as the sole remediation with no known workarounds.

Information Disclosure
NVD GitHub
CVSS 3.1
9.6
EPSS
0.2%
CVE-2025-32977 CRITICAL Act Now

CVE-2025-32977 is a critical unauthenticated backup file upload vulnerability in Quest KACE Systems Management Appliance (SMA) that allows attackers to bypass signature validation and upload malicious backup content, potentially achieving remote code execution with system-wide impact. The vulnerability affects SMA versions 13.0.x through 14.1.x and requires only user interaction (UI:R) but no authentication (PR:N), with a CVSS 9.6 severity rating indicating high exploitability.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-6580 MEDIUM POC This Month

CVE-2025-6580 is a critical SQL injection vulnerability in SourceCodester Best Salon Management System 1.0 affecting the Login component's Username parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available, increasing exploitation risk.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6579 MEDIUM POC This Month

CVE-2025-6579 is a critical SQL injection vulnerability in code-projects Car Rental System 1.0 affecting the /message_admin.php file's Message parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept code available and may be actively exploited in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6578 MEDIUM POC This Month

CVE-2025-6578 is a critical SQL injection vulnerability in Simple Online Hotel Reservation System version 1.0 affecting the /admin/delete_account.php file through unsanitized admin_id parameter manipulation. An unauthenticated remote attacker can execute arbitrary SQL queries to read, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk for deployed instances.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-6567 MEDIUM POC This Month

CVE-2025-6567 is a critical SQL injection vulnerability in Campcodes Online Recruitment Management System version 1.0, specifically in the Recruitment/admin/view_application.php file where the ID parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of recruitment records. The vulnerability has been publicly disclosed with proof-of-concept code available, and exploitation requires no special privileges or user interaction.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-2566 CRITICAL PATCH Act Now

CVE-2025-2566 is an unsafe Java deserialization vulnerability in Kaleris NAVIS N4 ULC that allows unauthenticated attackers to execute arbitrary code on affected servers through specially crafted requests. The vulnerability affects Kaleris NAVIS N4 Ultra Light Client installations and presents critical risk due to its network-accessible attack vector, lack of authentication requirements, and remote code execution impact. Given the CVSS 9.3 score and unauthenticated attack surface, this should be treated as a priority vulnerability for organizations running affected versions.

Deserialization RCE Java
NVD
CVSS 4.0
9.3
EPSS
0.7%
CVE-2025-6566 MEDIUM POC This Month

A vulnerability was found in oatpp Oat++ up to 1.3.1. It has been declared as critical. This vulnerability affects the function deserializeArray of the file src/oatpp/json/Deserializer.cpp. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2025-4383 CRITICAL PATCH Act Now

A authentication bypass vulnerability in Art-in Bilişim Teknolojileri ve Yazılım Hizm (CVSS 9.3). Critical severity with potential for significant impact on affected systems.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-6427 CRITICAL PATCH Act Now

A security vulnerability in Devtools. This vulnerability affects Firefox (CVSS 9.1). Critical severity with potential for significant impact on affected systems.

Mozilla Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.1%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy