Skip to main content
CVE-2025-6953 HIGH POC This Week

A vulnerability, which was classified as critical, was found in TOTOLINK A3002RU 3.0.0-B20230809.1615. Affected is an unknown function of the file /boafrm/formParentControl of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Buffer Overflow A3002ru Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-6940 HIGH POC This Week

A vulnerability classified as critical was found in TOTOLINK A702R 4.0.0-B20230721.1521. Affected by this vulnerability is an unknown functionality of the file /boafrm/formParentControl of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Buffer Overflow A702r Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6939 HIGH POC This Week

A vulnerability classified as critical has been found in TOTOLINK A3002RU 3.0.0-B20230809.1615. Affected is an unknown function of the file /boafrm/formWlSiteSurvey of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Buffer Overflow A3002ru Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-34066 HIGH POC This Week

CVE-2025-34066 is a security vulnerability (CVSS 8.3). Risk factors: public PoC available.

Information Disclosure
NVD GitHub Exploit-DB
CVSS 4.0
8.3
EPSS
0.1%
CVE-2025-49741 HIGH POC PATCH This Week

A security vulnerability in No cwe for this (CVSS 7.4) that allows an unauthorized attacker. Risk factors: public PoC available.

Microsoft Google Information Disclosure Edge Chromium Chrome
NVD Exploit-DB
CVSS 3.1
7.4
EPSS
0.9%
CVE-2025-37097 HIGH POC This Week

A vulnerability in HPE Insight Remote Support (IRS) prior to v7.15.0.646 may allow an unauthenticated denial of service

Denial Of Service Insight Remote Support
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-48379 HIGH POC PATCH This Week

Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issue has been patched in version 11.3.0.

Heap Overflow Buffer Overflow Python Ubuntu Debian +3
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-45080 HIGH This Week

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2025-34058 HIGH This Week

Hikvision Streaming Media Management Server v2.3.5 uses default credentials that allow remote attackers to authenticate and access restricted functionality. After authenticating with these credentials, an attacker can exploit an arbitrary file read vulnerability in the /systemLog/downFile.php endpoint via directory traversal in the fileName parameter. This exploit chain can enable unauthorized access to sensitive system files.

PHP Authentication Bypass Path Traversal Hikvision
NVD
CVSS 4.0
8.7
EPSS
1.2%
CVE-2025-45081 HIGH This Week

Misconfigured settings in IITB SSO v1.1.0 allow attackers to access sensitive application data.

Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-34059 HIGH This Week

An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements and potentially disclose sensitive information. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

PHP SQLi
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2025-53100 HIGH PATCH This Week

RestDB's Codehooks.io MCP Server is an MCP server on the Codehooks.io platform. Prior to version 0.2.2, the MCP server is written in a way that is vulnerable to command injection attacks as part of some of its MCP Server tools definition and implementation. This could result in a user initiated remote command injection attack on a running MCP Server. This issue has been patched in version 0.2.2.

Command Injection
NVD GitHub
CVSS 4.0
8.6
EPSS
0.4%
CVE-2025-6297 HIGH PATCH This Week

It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.

Denial Of Service Dpkg
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2024-46992 HIGH PATCH This Week

A remote code execution vulnerability in Electron (CVSS 7.8). High severity vulnerability requiring prompt remediation.

Microsoft Apple Authentication Bypass Debian Windows +1
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-37098 HIGH This Week

A path traversal vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646.

Path Traversal Insight Remote Support
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-53099 HIGH PATCH This Week

Sentry is a developer-first error tracking and performance monitoring tool. Prior to version 25.5.0, an attacker with a malicious OAuth application registered with Sentry can take advantage of a race condition and improper handling of authorization code within Sentry to maintain persistence to a user's account. With a specially timed requests and redirect flows, an attacker could generate multiple authorization codes that could be used to exchange for access and refresh tokens. This was possible even after de-authorizing the particular application. This issue has been patched in version 25.5.0. Self-hosted Sentry users should upgrade to version 25.5.0 or higher. Sentry SaaS users do not need to take any action.

Microsoft Information Disclosure Sentry
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-34081 HIGH PATCH This Week

The Contec Co.,Ltd. CONPROSYS HMI System (CHS) exposes a PHP phpinfo() debug page to unauthenticated users that may contain sensitive data useful for an attacker.This issue affects CONPROSYS HMI System (CHS): before 3.7.7.

PHP Information Disclosure Conprosys Hmi System
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-53107 HIGH PATCH This Week

@cyanheads/git-mcp-server is an MCP server designed to interact with Git repositories. Prior to version 2.1.5, there is a command injection vulnerability caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.). An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs. This issue has been patched in version 2.1.5.

RCE Command Injection
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-49480 HIGH This Week

Out-of-bounds access in ASR180x 、ASR190x in lte-telephony, This vulnerability is associated with program files apps/lzma/src/LzmaEnc.c. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

Information Disclosure Buffer Overflow Kestrel Falcon Linux Lapwing Linux
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2025-49492 HIGH This Week

Out-of-bounds write in ASR180x in lte-telephony, May cause a buffer underrun.  This vulnerability is associated with program files apps/atcmd_server/src/dev_api.C. This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.

Buffer Overflow Memory Corruption Kestrel Lapwing Linux Falcon Linux
NVD
CVSS 3.1
7.4
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy