Skip to main content
CVE-2025-5243 CRITICAL Act Now

Unauthenticated remote code execution in SMG Software Information Portal versions prior to 13.06.2025 allows attackers to upload web shells and inject OS commands, achieving full server compromise with a maximum CVSS score of 10.0. The vulnerability was reported by Turkey's national CERT (USOM) and no public exploit identified at time of analysis, though the trivial attack complexity and network-accessible nature make it a critical priority for any organization running the affected product.

File Upload Command Injection
NVD VulDB
CVSS 3.1
10.0
EPSS
2.2%
CVE-2025-4784 CRITICAL Act Now

SQL injection in Moderec Tourtella versions prior to 26.05.2025 allows remote unauthenticated attackers to manipulate backend database queries via crafted input, leading to full compromise of confidentiality, integrity, and availability. The flaw was reported through Turkey's national CERT (USOM) under advisory TR-25-0176 and carries a critical 9.8 CVSS score, though no public exploit identified at time of analysis and no EPSS score was provided.

SQLi Tourtella
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-4822 CRITICAL Act Now

SQL injection in Bayraktar Solar Energies ScadaWatt Otopilot (versions before 27.05.2025) allows remote unauthenticated attackers to manipulate backend database queries over the network. With a CVSS 9.8 rating and full impact across confidentiality, integrity, and availability, successful exploitation can yield complete database compromise of this SCADA solar energy monitoring platform. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-6441 CRITICAL Act Now

Unauthenticated login token generation in WebinarIgnition plugin for WordPress (versions ≤4.03.32) allows remote attackers to bypass authentication and impersonate arbitrary users. The vulnerability stems from missing capability checks on support staff authentication functions, enabling attackers to generate valid login tokens and authorization cookies without credentials (CVSS:3.1 AV:N/AC:L/PR:N). EPSS data not provided; no confirmation of active exploitation (CISA KEV) at time of analysis. Public exploit code existence not confirmed, though technical details are available via WordPress plugin repository references.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.6%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy