Skip to main content
CVE-2025-53770 CRITICAL POC KEV EUVD KEV THREAT CERT-EU Emergency

Microsoft SharePoint Server contains a deserialization vulnerability allowing unauthenticated remote code execution over the network, with active exploitation confirmed and patches pending full release.

Microsoft RCE Deserialization
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
90.5%
Threat
9.7
CVE-2025-7862 MEDIUM POC This Month

A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this vulnerability is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument telnet_enabled with the input 1 leads to missing authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Authentication Bypass T6 Firmware
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.2%
CVE-2025-7875 MEDIUM POC This Month

A vulnerability classified as critical has been found in Metasoft 美特软件 MetaCRM up to 6.4.2. This affects an unknown part of the file /debug.jsp. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authentication Bypass Metacrm
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7861 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in code-projects Church Donation System 1.0. Affected is an unknown function of the file /members/search.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Church Donation System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7860 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in code-projects Church Donation System 1.0. This issue affects some unknown processing of the file /members/login_admin.php. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Church Donation System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7859 MEDIUM POC This Month

A vulnerability classified as critical was found in code-projects Church Donation System 1.0. This vulnerability affects unknown code of the file /members/update_password_admin.php. The manipulation of the argument new_password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Church Donation System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-7883 HIGH This Week

Command injection in Eluktronics Control Center 5.23.51.41 allows local authenticated users to execute arbitrary PowerShell commands with elevated privileges through the AiStoneService component. The vulnerability has public exploit code available (CVSS E:P) and affects a PC hardware control software, enabling local privilege escalation. Vendor was notified but did not respond, leaving the vulnerability unpatched. EPSS data not available, but the local-only attack vector (AV:L) and authentication requirement (PR:L) limit widespread exploitation risk despite the critical CVSS 7.1 score.

Command Injection Control Center
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2025-7876 LOW POC Monitor

Remote code execution in Metasoft MetaCRM through 6.4.2 allows authenticated remote attackers to execute arbitrary code via unsafe deserialization of the 'p' parameter in the AnalyzeParam function of download.jsp. Publicly available exploit code exists; CVSS 2.1 score reflects required authentication (PR:L) and limited technical impact scope, but exploitation probability is marked as probable (E:P). Vendor did not respond to early disclosure notification.

Deserialization Metacrm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7879 LOW POC Monitor

Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 via the mobileupload.jsp endpoint allows authenticated remote attackers to upload arbitrary files with limited integrity and confidentiality impact. The vulnerability has been publicly disclosed with exploit code available on GitHub. Despite early vendor contact, Metasoft has not provided a patch or acknowledgment, leaving deployments unpatched.

Authentication Bypass File Upload Metacrm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7877 LOW POC Monitor

Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to upload arbitrary files via the File parameter in sendfile.jsp, potentially enabling remote code execution or data exfiltration. The vulnerability has publicly available exploit code and affects systems with basic user authentication; however, the CVSS score of 2.1 reflects limited confidentiality, integrity, and availability impact in the base score, though exploitability is marked as probable (E:P).

Authentication Bypass File Upload Metacrm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7880 LOW POC Monitor

Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to upload arbitrary files via the File parameter in /business/common/sms/sendsms.jsp, potentially leading to remote code execution or data compromise. The vulnerability has a low CVSS score (2.1) due to authentication requirements and limited confidentiality impact, but publicly available exploit code exists and the vendor has not responded to early disclosure.

Authentication Bypass File Upload Metacrm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7878 LOW POC Monitor

Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to upload arbitrary files via the /common/jsp/upload2.jsp endpoint, potentially enabling remote code execution or data exfiltration. The vulnerability requires valid user credentials (PR:L) but involves minimal technical complexity (AC:L). Public exploit code is available and the vendor has not responded to early disclosure notifications.

Authentication Bypass File Upload Metacrm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7887 LOW POC Monitor

Cross-site scripting (XSS) in WikiDocs up to version 1.0.78 allows remote attackers to inject malicious scripts via the path parameter in template.inc.php, requiring user interaction to trigger. The vulnerability has publicly available exploit code and carries a low CVSS score (2.1) due to its reliance on user interaction and limited impact scope, though the EPSS score of 0.10% suggests minimal real-world exploitation likelihood despite public disclosure.

PHP XSS Wikidocs
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7885 LOW POC PATCH Monitor

Reflected cross-site scripting in Huashengdun WebSSH up to version 1.6.2 allows remote attackers to inject malicious scripts via the hostname or port parameters on the login page, requiring user interaction to trigger. The vulnerability has a low CVSS score of 2.1 due to user interaction requirement and limited impact (integrity only), but publicly available exploit code exists and the vendor has not responded to disclosure attempts.

XSS Webssh
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7905 LOW POC Monitor

SQL injection in itsourcecode Insurance Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the recipt_no parameter in /insertPayment.php, resulting in limited confidentiality and integrity impact. The vulnerability requires valid user credentials (PR:L) and carries a low CVSS score of 2.1 despite being classified critical by the discoverer. Exploit code is publicly available and has been disclosed, though no active widespread exploitation has been reported.

PHP SQLi Insurance Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7904 LOW POC Monitor

SQL injection in itsourcecode Insurance Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the nominee_id parameter in /insertNominee.php, resulting in limited confidentiality and integrity impact. Publicly available exploit code exists, though EPSS scoring (0.09th percentile) suggests minimal real-world exploitation likelihood despite the critical classification and public disclosure.

PHP SQLi Insurance Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7894 LOW POC Monitor

SQL injection in Onyx Chat Interface allows authenticated remote attackers to manipulate database queries via the generate_simple_sql function in the KB search component. Versions up to 0.29.1 are affected. While the CVSS score is low (2.1) due to limited impact scope and authentication requirement, public exploit code exists and the vendor has not responded to early disclosure, increasing real-world risk for users who cannot rapidly patch.

SQLi Onyx
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7888 LOW POC Monitor

SQL injection in TDuckCloud tduck-platform 5.1 allows authenticated remote attackers to manipulate the formKey parameter in the UserFormDataMapper function, enabling unauthorized database queries with limited confidentiality and integrity impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

SQLi Java Tduck Platform
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7873 LOW POC Monitor

SQL injection in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to execute arbitrary SQL commands via the workerid parameter in mcc_login.jsp, with publicly available exploit code disclosed after vendor non-response. Despite a CVSS score of 2.1, the vulnerability requires prior authentication (PR:L) and offers only limited confidentiality/integrity impact (VC:L/VI:L), making real-world exploitation risk significantly lower than the critical severity designation suggests.

SQLi Metacrm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7864 LOW POC PATCH Monitor

Unrestricted file upload in JeeSite up to version 5.12.0 allows authenticated remote attackers to upload arbitrary files via the FileUploadController, potentially leading to remote code execution or data exfiltration. The vulnerability has a publicly disclosed proof-of-concept and is classified as critical despite a low CVSS 4.0 score of 2.1, indicating that the CVSS vector (requiring authenticated access and limited scope of impact) does not fully reflect the practical severity of unrestricted file upload capabilities in a web application context.

Java Authentication Bypass File Upload Jeesite
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-7906 LOW POC Monitor

RuoYi versions up to 4.8.1 allow authenticated users to upload files without restriction via the CommonController.uploadFile function, enabling arbitrary file upload. The vulnerability requires valid credentials (PR:L per CVSS vector) but permits remote exploitation with low complexity. Public exploit code exists; however, EPSS score of 0.05% (15th percentile) suggests minimal real-world exploitation despite public disclosure, indicating the threat is constrained by authentication requirements or other practical barriers.

Java Authentication Bypass File Upload Ruoyi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-7903 LOW POC Monitor

Improper restriction of rendered UI layers in RuoYi up to version 4.8.1 allows authenticated remote attackers to manipulate image source handling, leading to unauthorized UI layer visibility or modification. The CVSS score of 2.1 reflects limited integrity impact requiring authenticated access, but the low EPSS score (0.05%, 15th percentile) suggests this vulnerability has minimal real-world exploitation probability despite publicly available exploit code.

XSS Ruoyi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-7907 LOW POC Monitor

RuoYi up to version 4.8.1 uses hardcoded default credentials in the Druid database configuration file (application-druid.yml), allowing authenticated remote attackers to gain low-impact information disclosure. The vulnerability requires prior authentication (PR:L per CVSS 4.0) and has been publicly disclosed with exploit details available, though EPSS scoring (0.05%) and the low CVSS impact (VC:L only) suggest limited real-world exploitation risk despite the proof-of-concept availability.

Information Disclosure Ruoyi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-7898 LOW POC Monitor

Unrestricted file upload in Codecanyon iDentSoft 2.0 Account Setting Page allows high-privileged remote attackers to upload arbitrary files via the photo parameter in /clinica/profile/updateSetting, potentially enabling code execution or system compromise. CVSS score of 2.0 reflects the requirement for high-privilege authentication, but publicly available exploit code exists and the vulnerability has been disclosed. This is primarily a privilege-escalation concern affecting administrators rather than a default-configuration flaw.

Authentication Bypass File Upload Identsoft
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-7865 LOW POC PATCH Monitor

Stored cross-site scripting (XSS) in JeeSite's xssFilter function allows authenticated users to inject malicious scripts via the text parameter in EncodeUtils.java, affecting versions up to 5.12.0. The vulnerability requires user interaction to trigger payload execution and has publicly available exploit code. With EPSS score of 0.07% and CVSS 2.0, exploitation likelihood is low despite public disclosure, but remediation is straightforward via vendor patch.

Java XSS Jeesite
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-7867 LOW POC Monitor

Stored cross-site scripting (XSS) vulnerability in Portabilis i-Educar 2.9.0 and 2.10.0 allows authenticated users to inject malicious scripts via the novo_titulo and novo_descricao parameters in the Agenda Module (/intranet/agenda.php), which are then executed in the browsers of other users viewing the affected content. The vulnerability requires user interaction (victim must view the crafted agenda entry) and authenticated access, resulting in a low-severity impact with an EPSS exploitation probability of 0.06% percentile 19. Public exploit code is available, though vendor did not respond to early disclosure notification.

PHP XSS I Educar
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-7902 LOW POC Monitor

Stored cross-site scripting (XSS) in RuoYi up to version 4.8.1 allows authenticated users to inject malicious scripts via the SysNoticeController.addSave function, compromising integrity of system notices. The vulnerability requires user interaction and authenticated access but has a publicly available proof-of-concept. With an EPSS score of 0.05%, exploitation remains unlikely in practice despite the public disclosure.

XSS Ruoyi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-7858 LOW POC Monitor

Stored cross-site scripting in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated users to inject malicious scripts via the adminname parameter in /admin-profile.php, affecting other administrators who view the modified profile. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting its severity despite remote network accessibility. Publicly available exploit code exists, though real-world exploitation depends on social engineering authenticated users to click malicious links or administrative interaction.

PHP XSS Apartment Visitors Management System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-7872 LOW POC Monitor

Stored cross-site scripting (XSS) in Portabilis i-Diario 1.5.0 allows authenticated users to inject malicious scripts via the Justificativa parameter in the /justificativas-de-falta endpoint, which are then executed in the browsers of other users viewing the page. The vulnerability requires user interaction (clicking a malicious link) and authenticated access, limiting its severity despite public exploit availability. EPSS exploitation probability is very low at 0.05 percentile, and the vendor has not responded to disclosure.

XSS I Diario
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-7871 LOW POC Monitor

Stored cross-site scripting (XSS) in Portabilis i-Diario 1.5.0 allows authenticated users to inject malicious scripts via the filter[by_description] parameter in the /conteudos endpoint, which are then reflected to other users. The vulnerability requires user interaction (UI:P) to trigger but has low confidentiality impact and publicly available exploit code; however, the extremely low EPSS score (0.05%) and vendor non-responsiveness suggest limited real-world exploitation despite disclosed POC.

XSS I Diario
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-7870 LOW POC Monitor

Cross-site scripting (XSS) in Portabilis i-Diario 1.5.0 allows authenticated users to inject malicious scripts via the Anexo parameter in the justificativas-de-falta endpoint, impacting other users who view the affected content. The vulnerability requires user interaction and authenticated access, with an EPSS score of 0.05% indicating low real-world exploitation likelihood despite public exploit availability. The vendor has not responded to disclosure communications.

XSS I Diario
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-7868 LOW POC Monitor

Stored cross-site scripting in Portabilis i-Educar up to version 2.10 allows authenticated remote attackers to inject malicious scripts via the Motivo/descricao parameter in the Calendar Module (/intranet/educar_calendario_dia_motivo_cad.php), requiring user interaction to execute. Public exploit code is available and the vendor has not responded to disclosure attempts despite early notification.

PHP XSS I Educar
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-7869 LOW POC Monitor

Stored cross-site scripting in Portabilis i-Educar 2.9.0 allows authenticated remote attackers to inject malicious scripts via the nm_tipo parameter in the Turma Module administrative interface. The vulnerability requires user interaction and affects the integrity of application data. Publicly available exploit code exists, and the vendor has not responded to disclosure.

PHP XSS I Educar
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-7866 LOW POC Monitor

Stored cross-site scripting (XSS) in Portabilis i-Educar 2.9.0 allows authenticated users to inject malicious scripts via the 'Deficiência ou Transtorno' parameter in the Disabilities Module (/intranet/educar_deficiencia_lst.php), affecting other users who view the injected content. The vulnerability requires user interaction (victim must view the page) and authenticated access, limiting its severity to reflected/stored XSS with user-level privileges. Public exploit code exists, but active exploitation has not been confirmed in CISA KEV, and the vendor has not responded to disclosure.

PHP XSS I Educar
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-7881 LOW POC Monitor

Weak password recovery in Mercusys MW301R 1.0.2 Build 190726 allows high-privileged authenticated attackers to manipulate the code argument in the web interface to disclose or modify password recovery mechanisms, with publicly available exploit code. The vendor has not responded to early disclosure notification. EPSS exploitation probability is 0.04% (13th percentile), indicating minimal real-world exploitation likelihood despite public POC availability.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-7892 LOW POC Monitor

IDnow App for Android up to version 9.6.0 improperly exports application components via AndroidManifest.xml misconfiguration, allowing local attackers with user-level privileges to access sensitive functionality or information disclosure. The vulnerability is classified as low severity (CVSS 1.9) with publicly available exploit code, but the vendor has not responded to disclosure and no patch has been released. While exploitation requires local device access and legitimate app installation, the improper component export could enable privilege escalation or data theft when combined with other vulnerabilities.

Information Disclosure Google Idnow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-7891 LOW POC Monitor

InstantBits Web Video Cast on Android versions up to 5.12.4 improperly exports application components via AndroidManifest.xml configuration, allowing local attackers with user privileges to access sensitive functionality without authentication. The vulnerability has a CVSS score of 1.9 with low confidentiality impact and no integrity or availability impact, but is rated problematic due to the disclosure of exploitation techniques and vendor non-responsiveness. This is a local, low-severity information disclosure issue affecting only users with direct device access.

Information Disclosure Google Web Video Cast
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-7893 LOW POC Monitor

Foresight News App for Android versions up to 2.6.4 improperly exports application components via AndroidManifest.xml, allowing local attackers with limited privileges to access sensitive information. The CVSS 1.9 score reflects low actual impact (information disclosure only, no integrity or availability loss), though the vulnerability is publicly exploitable. EPSS percentile of 13% indicates minimal real-world exploitation likelihood despite public POC availability, suggesting this is a low-priority issue for most deployments.

Information Disclosure Google Foresight News
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-7890 LOW POC Monitor

Dunamu StockPlus Android app versions up to 7.62.10 improperly export application components via AndroidManifest.xml configuration, allowing local attackers with low privileges to access sensitive functionality. The vulnerability requires local device access and affects the com.dunamu.stockplus component, resulting in limited information disclosure. Publicly available exploit code exists, and the vendor did not respond to early disclosure notification.

Information Disclosure Google Stockplus
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-7889 LOW POC Monitor

CallApp Caller ID App versions up to 2.0.4 on Android improperly export application components via AndroidManifest.xml misconfiguration, allowing local authenticated attackers to access sensitive functionality with limited information disclosure impact. The vulnerability has been publicly disclosed with exploit code available, though the CVSS score of 1.9 and EPSS of 0.03% indicate minimal real-world exploitation risk despite public POC availability.

Information Disclosure Google Callapp
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-7886 MEDIUM This Month

A vulnerability, which was classified as critical, was found in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486. This affects the function getUserLanguage of the file classes/class.database.php. The manipulation of the argument user_id leads to sql injection. It is possible to initiate the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-7882 LOW POC Monitor

Improper brute-force protection in the Mercusys MW301R router allows local network attackers to conduct excessive authentication attempts against the login component without rate limiting. The vulnerability affects firmware version 1.0.2 Build 190726 Rel.59423n and permits attackers to bypass authentication attempt restrictions, though actual credential compromise requires additional attack complexity. Public exploit code exists, but the vendor has not responded to disclosure and provided no patch.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2025-7884 LOW Monitor

Eluktronics Control Center 5.23.51.41 permits local authenticated users to bypass data authenticity verification in the REG File Handler component, resulting in potential information disclosure. The vulnerability requires local access and authenticated privileges but carries minimal real-world impact given the CVSS 1.9 score and EPSS exploitation probability of 0.01% (third percentile). Public exploit code has been disclosed, though vendor has not responded to disclosure notifications.

Information Disclosure Control Center
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy