Skip to main content
CVE-2025-5306 CRITICAL POC THREAT Emergency

Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778

Command Injection Pandora Fms
NVD
CVSS 3.1
9.8
EPSS
44.2%
Threat
4.8
CVE-2025-52207 CRITICAL POC Act Now

A security vulnerability in MikoPBX (CVSS 9.9) that allows uploading a php script. Critical severity with potential for significant impact on affected systems.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
9.9
EPSS
5.8%
CVE-2025-53091 CRITICAL POC Act Now

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Time-Based Blind SQL Injection vulnerability was discovered in version 3.3.3 the almox parameter of the `/controle/getProdutosPorAlmox.php` endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration. Version 3.4.0 fixes the issue.

PHP SQLi Wegia
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-6751 HIGH POC This Week

A vulnerability, which was classified as critical, was found in Linksys E8450 up to 1.2.00.360516. This affects the function set_device_language of the file portal.cgi of the component HTTP POST Request Handler. The manipulation of the argument dut_language leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-6752 HIGH POC This Week

A vulnerability has been found in Linksys WRT1900ACS, EA7200, EA7450 and EA7500 up to 20250619 and classified as critical. This vulnerability affects the function SetDefaultConnectionService of the file /upnp/control/Layer3Forwarding of the component IGD. The manipulation of the argument NewDefaultConnectionService leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-6763 HIGH POC This Week

A vulnerability was found in Comet System T0510, T3510, T3511, T4511, T6640, T7511, T7611, P8510, P8552 and H3531 1.60. Affected by this issue is some unknown functionality of the file /setupA.cfg of the component Web-based Management Interface. Performing manipulation results in missing authentication. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been made public and could be used. There are still doubts about whether this vulnerability truly exists. The vendor explains, that "[d]evices described at CVE are not intended to be exposed into internet and proper security of devices is to end-users."

Authentication Bypass T6640 Firmware T7511 Firmware T0510 Firmware T4511 Firmware +6
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.8%
CVE-2025-44557 HIGH POC This Week

CVE-2025-44557 is a security vulnerability (CVSS 8.1) that allows attackers. Risk factors: public PoC available.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-50528 HIGH POC This Week

A buffer overflow vulnerability exists in the fromNatStaticSetting function of Tenda AC6 <=V15.03.05.19 via the page parameter.

Buffer Overflow Stack Overflow Ac6 Firmware Tenda
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-52709 CRITICAL Act Now

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
6.0%
CVE-2025-45737 MEDIUM POC This Month

An issue in NetEase (Hangzhou) Network Co., Ltd NeacSafe64 Driver before v1.0.0.8 allows attackers to escalate privileges via sending crafted IOCTL commands to the NeacSafe64.sys component.

Privilege Escalation Neacsafe64
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-44559 MEDIUM POC This Month

An issue in the Bluetooth Low Energy (BLE) stack of Realtek RTL8762E BLE SDK v1.4.0 allows attackers within Bluetooth range to cause a Denial of Service (DoS) via sending a specific sequence of crafted control packets.

Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-45729 MEDIUM POC This Month

D-Link DIR-823-Pro 1.02 has improper permission control, allowing unauthorized users to turn on and access Telnet services.

Authentication Bypass Dir 823 Pro Firmware D-Link
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2025-44163 MEDIUM POC PATCH This Month

RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse of the `tee` command used in shell execution.

PHP Path Traversal Raspap Webgui
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-49885 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme Drag and Drop Multiple File Upload (Pro) - WooCommerce allows Upload a Web Shell to a Web Server. This issue affects Drag and Drop Multiple File Upload (Pro) - WooCommerce: from n/a through 5.0.6.

File Upload WordPress
NVD
CVSS 3.1
10.0
EPSS
0.2%
CVE-2025-5310 CRITICAL PATCH Act Now

Dover Fueling Solutions ProGauge MagLink LX Consoles expose an undocumented and unauthenticated target communication framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution.

RCE Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-6688 CRITICAL PATCH Act Now

The Simple Payment plugin for WordPress is vulnerable to Authentication Bypass in versions 1.3.6 to 2.3.8. This is due to the plugin not properly verifying a user's identity prior to logging them in through the create_user() function. This makes it possible for unauthenticated attackers to log in as administrative users.

WordPress Authentication Bypass Simple Payment PHP
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-12827 CRITICAL Act Now

The DWT - Directory & Listing WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.6. This is due to the plugin not properly checking for an empty token value prior to resetting a user's password through the dwt_listing_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

WordPress Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-52725 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in pebas CouponXxL allows Object Injection. This issue affects CouponXxL: from n/a through 3.0.0.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-52724 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in BoldThemes Amwerk allows Object Injection. This issue affects Amwerk: from n/a through 1.2.0.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-28970 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in pep.vn WP Optimize By xTraffic allows Object Injection. This issue affects WP Optimize By xTraffic: from n/a through 5.1.6.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-12364 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mavi Yeşil Software Guest Tracking Software allows SQL Injection.This issue affects Guest Tracking Software.  NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-12150 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eron Software Wowwo CRM allows Blind SQL Injection.This issue affects Wowwo CRM.  NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-12143 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mobilteg Mobile Informatics Mikro Hand Terminal - MikroDB allows SQL Injection.This issue affects Mikro Hand Terminal - MikroDB.  NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-11739 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Case Informatics Case ERP allows SQL Injection.This issue affects Case ERP: before V2.0.1.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-52553 CRITICAL PATCH Act Now

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, however this check is missing in versions prior to 2025.6.3 and 2025.4.3. When, for example, using RAC during a screenshare, a malicious user could access the same session by copying the URL from the shown browser. authentik 2025.4.3 and 2025.6.3 fix this issue. As a workaround, it is recommended to decrease the duration a token is valid for (in the RAC Provider settings, set Connection expiry to `minutes=5` for example). The maintainers of authentik also recommend enabling the option Delete authorization on disconnect.

Authentication Bypass Authentik
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-53314 CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in sh1zen WP Optimizer allows SQL Injection. This issue affects WP Optimizer: from n/a through 2.3.6.

CSRF SQLi
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-6776 MEDIUM POC PATCH This Month

A vulnerability classified as critical was found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This vulnerability affects the function Upload of the file app/plugins/oss/app/controller.py of the component File Upload. The manipulation of the argument image leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The name of the patch is e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component.

File Upload Python Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2025-6772 MEDIUM POC This Month

A vulnerability was found in eosphoros-ai db-gpt up to 0.7.2. It has been classified as critical. Affected is the function import_flow of the file /api/v2/serve/awel/flow/import. The manipulation of the argument File leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2025-6777 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in code-projects Food Distributor Site 1.0. This issue affects some unknown processing of the file /admin/process_login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5093 MEDIUM POC PATCH This Month

The Responsive Lightbox & Gallery WordPress plugin before 2.5.2 use the Swipebox library which does not validate and escape title attributes before outputting them back in a page/post where used, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

WordPress XSS Responsive Lightbox PHP
NVD WPScan
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-5035 MEDIUM POC PATCH This Month

The Firelight Lightbox WordPress plugin before 2.3.16 does not sanitise and escape title attributes before outputting them in the page, which could allow users with a role as low as contributors to perform stored Cross-Site Scripting attacks.

WordPress XSS Firelight Lightbox PHP
NVD WPScan
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-52717 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in chrisbadgett LifterLMS allows SQL Injection. This issue affects LifterLMS: from n/a through 8.0.6.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-39474 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeMove Amely allows SQL Injection. This issue affects Amely: from n/a through 3.1.4.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-52834 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in favethemes Homey allows SQL Injection. This issue affects Homey: from n/a through 2.4.5.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-52829 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in DirectIQ DirectIQ Email Marketing allows SQL Injection. This issue affects DirectIQ Email Marketing: from n/a through 2.0.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-52722 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoinWebs Classiera allows SQL Injection. This issue affects Classiera: from n/a through 4.0.34.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-23967 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpopal GG Bought Together for WooCommerce allows SQL Injection. This issue affects GG Bought Together for WooCommerce: from n/a through 1.0.2.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-53260 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in getredhawkstudio File Manager Plugin For Wordpress allows Upload a Web Shell to a Web Server. This issue affects File Manager Plugin For Wordpress: from n/a through 7.5.

File Upload WordPress
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-52827 HIGH This Week

Deserialization of Untrusted Data vulnerability in uxper Nuss allows Object Injection. This issue affects Nuss: from n/a through 1.3.3.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-52826 HIGH This Week

Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-52824 HIGH This Week

Missing Authorization vulnerability in MDJM Mobile DJ Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mobile DJ Manager: from n/a through 1.7.6.

Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-25171 HIGH This Week

Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemesGrove WP SmartPay allows Authentication Abuse. This issue affects WP SmartPay: from n/a through 2.7.13.

Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-5194 MEDIUM POC PATCH This Month

The WP Map Block WordPress plugin before 2.0.3 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

WordPress XSS Wp Map Block PHP
NVD WPScan
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-53277 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Infigo Software IS-theme-companion allows Object Injection. This issue affects IS-theme-companion: from n/a through 1.57.

CSRF
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-53094 HIGH This Week

A security vulnerability in versions (CVSS 8.7) that allows attackers. High severity vulnerability requiring prompt remediation.

Code Injection
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-53093 HIGH PATCH This Week

TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Starting in version 3.0.0 and prior to version 3.1.1, any user can insert arbitrary HTMLinto the DOM by inserting a payload into any allowed attribute of the `<tabber>` tag. Version 3.1.1 contains a patch for the bug.

XSS
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-49448 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Food Menu allows Path Traversal. This issue affects FW Food Menu : from n/a through 6.0.0.

Path Traversal
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-52726 HIGH This Week

Incorrect Privilege Assignment vulnerability in pebas CouponXxL Custom Post Types allows Privilege Escalation. This issue affects CouponXxL Custom Post Types: from n/a through 3.0.

Privilege Escalation
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-28993 HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Jose Content No Cache allows Code Injection. This issue affects Content No Cache: from n/a through 0.1.3.

RCE Code Injection
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-5526 MEDIUM POC PATCH This Month

A security vulnerability in BuddyPress Docs WordPress (CVSS 4.3) that allows a logged. Risk factors: public PoC available.

WordPress Information Disclosure Buddypress Docs PHP
NVD WPScan
CVSS 3.1
4.3
EPSS
0.1%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy