LaRecipe versions prior to 2.8.1 contain a Server-Side Template Injection (SSTI) vulnerability that can lead to Remote Code Execution (RCE) in vulnerable configurations. The vulnerability allows unauthenticated network attackers to execute arbitrary commands on the server, access sensitive environment variables, and escalate privileges without requiring user interaction or special access. With a perfect CVSS 3.1 score of 10.0 and network-based attack vector, this represents a critical threat to all unpatched LaRecipe installations.
CVE-2025-50756 is a critical unauthenticated command injection vulnerability in the Wavlink WN535K3 router (firmware version 20191010) affecting the set_sys_adm function's newpass parameter. An unauthenticated remote attacker can execute arbitrary system commands with root privileges by sending a crafted request, enabling complete device compromise including data theft, malware installation, and lateral network movement. The CVSS 9.8 score reflects maximum severity; KEV status and active exploitation likelihood are elevated given the high exploitability characteristics (network-accessible, no authentication required, low attack complexity).
CVE-2025-7574 is a critical authentication bypass vulnerability in LB-LINK wireless router web interfaces affecting multiple models (BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P, BL-WR9000) up to version 20250702. The vulnerability in the /cgi-bin/lighttpd.cgi reboot/restore functions allows unauthenticated remote attackers to achieve complete system compromise with high confidentiality, integrity, and availability impact (CVSS 9.8). A public exploit has been disclosed, the vendor has not responded to responsible disclosure efforts, and the attack requires no user interaction or special network conditions.
CVE-2025-7451 is a critical OS Command Injection vulnerability in iSherlock (developed by Hgiga) that allows unauthenticated remote attackers to execute arbitrary operating system commands on vulnerable servers with no authentication required. The vulnerability has active in-the-wild exploitation, carries a maximum CVSS score of 9.8, and poses immediate risk to all exposed instances. Organizations running iSherlock must apply patches immediately.
CVE-2025-53639 is a critical SQL injection vulnerability in MeterSphere's API sorting functionality where the sortField parameter lacks proper input validation and sanitization. All versions prior to 3.6.5-lts are affected, allowing unauthenticated remote attackers to execute arbitrary SQL statements and completely compromise database integrity, availability, and confidentiality. This is a network-exploitable vulnerability with no authentication required and high real-world risk.
CVE-2025-53825 is a critical unauthenticated remote code execution vulnerability in Dokploy versions prior to 0.24.3, where attackers can execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This vulnerability affects all public Dokploy instances utilizing preview deployments and carries a CVSS score of 9.4 (Critical), with no authentication or user interaction required, making it immediately exploitable by any network-adjacent attacker.
A cross-site scripting vulnerability in version 5.4.5 and (CVSS 9.0). Critical severity with potential for significant impact on affected systems. Vendor patch is available.