Skip to main content
CVE-2025-6751 HIGH POC This Week

A vulnerability, which was classified as critical, was found in Linksys E8450 up to 1.2.00.360516. This affects the function set_device_language of the file portal.cgi of the component HTTP POST Request Handler. The manipulation of the argument dut_language leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-6752 HIGH POC This Week

A vulnerability has been found in Linksys WRT1900ACS, EA7200, EA7450 and EA7500 up to 20250619 and classified as critical. This vulnerability affects the function SetDefaultConnectionService of the file /upnp/control/Layer3Forwarding of the component IGD. The manipulation of the argument NewDefaultConnectionService leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-6763 HIGH POC This Week

A vulnerability was found in Comet System T0510, T3510, T3511, T4511, T6640, T7511, T7611, P8510, P8552 and H3531 1.60. Affected by this issue is some unknown functionality of the file /setupA.cfg of the component Web-based Management Interface. Performing manipulation results in missing authentication. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been made public and could be used. There are still doubts about whether this vulnerability truly exists. The vendor explains, that "[d]evices described at CVE are not intended to be exposed into internet and proper security of devices is to end-users."

Authentication Bypass T6640 Firmware T7511 Firmware T0510 Firmware T4511 Firmware +6
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.8%
CVE-2025-44557 HIGH POC This Week

CVE-2025-44557 is a security vulnerability (CVSS 8.1) that allows attackers. Risk factors: public PoC available.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-50528 HIGH POC This Week

A buffer overflow vulnerability exists in the fromNatStaticSetting function of Tenda AC6 <=V15.03.05.19 via the page parameter.

Buffer Overflow Stack Overflow Ac6 Firmware Tenda
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-52827 HIGH This Week

Deserialization of Untrusted Data vulnerability in uxper Nuss allows Object Injection. This issue affects Nuss: from n/a through 1.3.3.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-52826 HIGH This Week

Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-52824 HIGH This Week

Missing Authorization vulnerability in MDJM Mobile DJ Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mobile DJ Manager: from n/a through 1.7.6.

Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-25171 HIGH This Week

Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemesGrove WP SmartPay allows Authentication Abuse. This issue affects WP SmartPay: from n/a through 2.7.13.

Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-53277 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Infigo Software IS-theme-companion allows Object Injection. This issue affects IS-theme-companion: from n/a through 1.57.

CSRF
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-53094 HIGH This Week

A security vulnerability in versions (CVSS 8.7) that allows attackers. High severity vulnerability requiring prompt remediation.

Code Injection
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-53093 HIGH PATCH This Week

TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Starting in version 3.0.0 and prior to version 3.1.1, any user can insert arbitrary HTMLinto the DOM by inserting a payload into any allowed attribute of the `<tabber>` tag. Version 3.1.1 contains a patch for the bug.

XSS
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-49448 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Food Menu allows Path Traversal. This issue affects FW Food Menu : from n/a through 6.0.0.

Path Traversal
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-52726 HIGH This Week

Incorrect Privilege Assignment vulnerability in pebas CouponXxL Custom Post Types allows Privilege Escalation. This issue affects CouponXxL Custom Post Types: from n/a through 3.0.

Privilege Escalation
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-28993 HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Jose Content No Cache allows Code Injection. This issue affects Content No Cache: from n/a through 0.1.3.

RCE Code Injection
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-52817 HIGH This Week

Missing Authorization vulnerability in ZealousWeb Abandoned Contact Form 7 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Abandoned Contact Form 7: from n/a through 2.0.

Authentication Bypass
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-52818 HIGH This Week

Missing Authorization vulnerability in Dejan Jasnic Trusty Whistleblowing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Trusty Whistleblowing: from n/a through 1.5.2.

Authentication Bypass
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-52816 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita allows PHP Local File Inclusion. This issue affects Zita: from n/a through 1.6.5.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-52815 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CityGov allows PHP Local File Inclusion. This issue affects CityGov: from n/a through 1.9.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-52814 HIGH This Week

A security vulnerability in ovatheme BRW allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-52812 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusWP Domnoo allows PHP Local File Inclusion. This issue affects Domnoo: from n/a through 1.49.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-52809 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in John Russell National Weather Service Alerts allows PHP Local File Inclusion. This issue affects National Weather Service Alerts: from n/a through 1.3.5.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-52729 HIGH This Week

A security vulnerability in thembay Diza allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-52723 HIGH This Week

A security vulnerability in codesupplyco Networker allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-49883 HIGH This Week

A security vulnerability in thembay Greenmart allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-49416 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Fastw3b LLC FW Gallery allows PHP Local File Inclusion. This issue affects FW Gallery: from n/a through 8.0.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-30992 HIGH This Week

A security vulnerability in thembay Puca allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-28998 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in serpednet SERPed.net allows PHP Local File Inclusion. This issue affects SERPed.net: from n/a through 4.6.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-28990 HIGH This Week

A security vulnerability in snstheme SNS Vicky allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-28947 HIGH This Week

A remote code execution vulnerability (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP WordPress LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-28946 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme PrintXtore allows PHP Local File Inclusion.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-24769 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Zenny allows PHP Local File Inclusion. This issue affects Zenny: from n/a through 1.7.5.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-24760 HIGH This Week

A security vulnerability in goalthemes Sofass allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2023-25998 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Samex - Clean, Minimal Shop WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Samex - Clean, Minimal Shop WooCommerce WordPress Theme: from n/a through 2.6.

PHP WordPress LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-52808 HIGH This Week

A security vulnerability in real-web RealtyElite allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49886 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab Zikzag Core allows PHP Local File Inclusion. This issue affects Zikzag Core: from n/a through 1.4.5.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-53098 HIGH PATCH This Week

Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a prompt to ask the agent to write a malicious command to the MCP configuration file. If the user had opted-in to auto-approving file writes within the project, this would have led to arbitrary command execution. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack), for the user to have MCP enabled (on by default), and for the user to have enabled auto-approved file writes (off by default). Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder.

Command Injection Roo Code
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-52811 HIGH This Week

Path Traversal vulnerability in Creanncy Davenport - Versatile Blog and Magazine WordPress Theme allows PHP Local File Inclusion. This issue affects Davenport - Versatile Blog and Magazine WordPress Theme: from n/a through 1.3.

PHP WordPress Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-52810 HIGH This Week

Path Traversal vulnerability in TMRW-studio Katerio - Magazine allows PHP Local File Inclusion. This issue affects Katerio - Magazine: from n/a through 1.5.1.

PHP Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-24765 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RobMarsh Image Shadow allows Path Traversal. This issue affects Image Shadow: from n/a through 1.1.0.

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-53306 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in lucidcrew WP Forum Server allows SQL Injection. This issue affects WP Forum Server: from n/a through 1.8.2.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-53258 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wow-Company Hover Effects hover-effects allows SQL Injection.This issue affects Hover Effects: from n/a through 2.1.2.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-53256 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP allows SQL Injection.This issue affects YaySMTP: from n/a through 2.6.5.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-6521 HIGH This Week

During the initial setup of the device the user connects to an access point broadcast by the Sight Bulb Pro. During the negotiation, AES Encryption keys are passed in cleartext. If captured, an attacker may be able to decrypt communications between the management app and the Sight Bulb Pro which may include sensitive information such as network credentials.

Information Disclosure
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-53339 HIGH This Week

A security vulnerability in devnex Devnex Addons For Elementor allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-53281 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPBean WPB Category Slider for WooCommerce allows PHP Local File Inclusion. This issue affects WPB Category Slider for WooCommerce: from n/a through 1.71.

PHP WordPress LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-53259 HIGH This Week

A security vulnerability in nicdark Hotel Booking allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-53257 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Serhii Pasyuk Gmedia Photo Gallery allows PHP Local File Inclusion. This issue affects Gmedia Photo Gallery: from n/a through 1.23.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-32298 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case-Themes CTUsers allows PHP Local File Inclusion. This issue affects CTUsers: from n/a through 1.0.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-45851 HIGH This Week

An issue in Hikvision DS-2CD1321-I V5.7.21 build 230819 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the endpoint /ISAPI/Security/challenge. The vendor has stated that upgrading to V5.7.23_SP2 fixes the issue.

Denial Of Service Hikvision
NVD
CVSS 3.1
7.5
EPSS
0.1%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy