Skip to main content
CVE-2025-44608 MEDIUM POC This Month

SQL injection in CloudClassroom-PHP Project v1.0 exposes the application to remote, unauthenticated database manipulation via the `viewid` parameter. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites - any internet-accessible instance is directly exploitable without credentials. A publicly available proof-of-concept exists on GitHub, though EPSS at 0.31% (23rd percentile) indicates low observed exploitation probability at time of analysis, consistent with the obscure deployment footprint of this niche educational PHP application. No active exploitation is confirmed in CISA KEV.

SQLi PHP Cloudclassroom Php Project
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-45960 MEDIUM POC This Month

Stored cross-site scripting in tawk.to Live Chat 1.6.1 allows unauthenticated remote attackers to inject persistent JavaScript payloads via the chat widget, which execute in the browsers of support agents or site administrators who view the tainted transcripts. The CVSS 3.1 Scope:Changed metric confirms the injected script executes in the victim's browser origin, enabling session hijacking or credential theft against the hosting site - not merely the chat platform. A public proof-of-concept is available on GitHub; no CISA KEV listing exists and EPSS sits at 0.43% (35th percentile), indicating low current mass-exploitation but a meaningful attacker-accessible entry point given the lowered skill bar from the POC.

XSS RCE Tawk To
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2025-8173 MEDIUM POC This Month

A vulnerability has been found in 1000 Projects ABC Courier Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /Add_reciver.php. The manipulation of the argument reciver_name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Abc Courier Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-8166 MEDIUM POC This Month

A vulnerability was found in code-projects Church Donation System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/index.php of the component HTTP POST Request Handler. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Church Donation System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-29630 MEDIUM This Month

Remote root access in Gardyn Home Kit Firmware via SSH private key compromise allows authenticated remote attackers with high privileges to execute arbitrary commands as root on affected devices. The vulnerability stems from improper cryptographic key management (CWE-321) and carries a CVSS score of 6.6; no public exploit code or active exploitation has been independently confirmed at the time of analysis.

Information Disclosure
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-45939 MEDIUM This Month

Server-Side Request Forgery in Apwide Golive 10.2.0 for Jira allows an attacker to abuse the plugin's test webhook function to induce the server to issue HTTP requests to arbitrary internal or external hosts. The vulnerability carries a scope-changed CVSS vector (S:C), meaning requests escape the plugin's trust boundary and can reach internal network resources invisible to the attacker. With an EPSS of 0.29% (20th percentile) and no active exploitation confirmed in CISA KEV, real-world risk is currently low, but the SSRF primitive could enable internal service enumeration or SSRF-chained attacks against cloud metadata endpoints on Jira-hosting infrastructure.

Atlassian SSRF Golive
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-5253 MEDIUM This Month

HTTP denial-of-service in Kron Technologies Kron PAM (all versions before 3.7) allows a low-privileged authenticated remote attacker to exhaust server resources through unthrottled HTTP request processing. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms the attack is network-reachable at low complexity, requiring only a valid user account, with full availability impact and no scope change. No public exploit code exists and the vulnerability has not been added to the CISA KEV catalog; EPSS sits at 0.28% (52nd percentile), indicating low-to-moderate real-world exploitation probability at time of analysis.

Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-5254 MEDIUM This Month

Stored Cross-Site Scripting in Kron Technologies Kron PAM (versions before 3.7) allows a highly privileged authenticated attacker to inject persistent malicious scripts into the application that execute in the browsers of other users who view the affected content. Despite the high privilege required to plant the payload, the impact is rated High on both confidentiality and integrity - a realistic concern in Privileged Access Management platforms where session hijacking or credential harvesting against super-administrators carries severe downstream risk. No public exploit code or active exploitation has been identified at time of analysis; EPSS is low at 0.18% (40th percentile).

XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-38408 MEDIUM PATCH This Month

A null pointer dereference vulnerability exists in the Linux kernel's interrupt simulation (genirq/irq_sim) subsystem where uninitialized pointers in the work context can be dereferenced, leading to kernel denial of service. The vulnerability affects Linux kernel versions including 6.16-rc1 and 6.16-rc2, and potentially earlier stable releases. A local attacker with unprivileged user privileges can trigger a kernel crash by invoking interrupt simulation functionality, causing system unavailability. Patches are available from the Linux kernel stable repositories, and exploitation probability is low (EPSS 0.02%, percentile 6%) despite the moderate CVSS score of 5.5.

Linux Null Pointer Dereference Denial Of Service Linux Kernel Red Hat +1
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-38426 MEDIUM PATCH This Month

Linux kernel RAS (Reliability, Availability, Serviceability) header validation in the AMD GPU driver (amdgpu) lacks input sanitization, allowing a local authenticated attacker to trigger denial of service through excessive memory allocation when reading corrupted EEPROM data. The vulnerability affects all Linux kernel versions with the vulnerable amdgpu driver code path and requires local access with standard user privileges. No public exploit code has been identified; the EPSS score of 0.02% (5th percentile) indicates low real-world exploitation probability despite the moderate CVSS 5.5 rating.

Linux Linux Kernel Denial Of Service Memory Corruption Red Hat +1
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-38466 MEDIUM PATCH This Month

Linux kernel uprobes implementation allows local privileged users to cause denial of service by placing probes at invalid instruction boundaries, exploiting variable-length instruction decoding and mixing of data in text segments on architectures like ARM64. The vulnerability requires CAP_SYS_ADMIN capability, limiting exposure to privileged local attackers. Patch available across multiple stable kernel branches (6.16-rc1 through rc4 and earlier versions).

Information Disclosure Linux Debian Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-38465 MEDIUM PATCH This Month

Integer wraparound in Linux kernel netlink socket receive buffer accounting allows local authenticated attackers to exhaust kernel memory by bypassing receive buffer limits via integer overflow in sk_rmem_alloc comparison. An attacker with local access can set SO_RCVBUFFORCE to INT_MAX, causing the receive buffer check to always evaluate false and permitting unlimited socket buffer allocation until out-of-memory conditions occur. CVSS 5.5 indicates local denial of service with potential system-wide impact; no active exploitation confirmed but vulnerability affects all Linux distributions.

Information Disclosure Linux Debian Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-38457 MEDIUM PATCH This Month

Denial of service in Linux kernel traffic control (qdisc) subsystem allows local authenticated attackers to crash the system by creating or modifying queue disciplines with invalid parent class references. When certain qdiscs (fq, hhf, choke, etc.) invoke qdisc_tree_reduce_backlog during initialization with a null parent class, they trigger an unhandled null pointer dereference. No active exploitation confirmed (KEV not listed), but CVSS 5.5 reflects local privilege requirement with high availability impact.

Information Disclosure Linux Debian Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-38451 MEDIUM PATCH This Month

A general protection fault (GPF) in the Linux kernel's md-bitmap module affects the bitmap_get_stats() function when reading bitmap statistics for RAID devices with external bitmaps. Local users with sufficient privileges can trigger a kernel panic by accessing bitmap statistics through the /proc interface, causing denial of service. The vulnerability stems from incomplete validation of bitmap storage configuration introduced by a prior fix that failed to properly check superblock validity for both internal and external bitmap modes.

Canonical Information Disclosure Linux Debian Linux Red Hat +1
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-38436 MEDIUM PATCH This Month

Linux kernel DRM scheduler fails to signal scheduled fences when killing job entities, causing dependent applications to hang indefinitely waiting for unresolved dependencies. Authenticated local users can trigger this denial of service by terminating applications whose job dependencies are not properly cleared during entity kill operations. The vulnerability affects multiple Linux kernel versions and has been patched upstream.

Linux Information Disclosure Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-38430 MEDIUM PATCH This Month

Denial of service in Linux kernel nfsd (NFS server daemon) allows local authenticated attackers to crash the system by triggering undefined behavior in nfsd4_spo_must_allow() when non-v4 compound RPC requests are processed. The vulnerability stems from missing validation that incoming RPC procedures are NFSv4 COMPOUND requests before examining internal state structures, causing memory access violations and system unavailability.

Information Disclosure Linux Debian Linux Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-38400 MEDIUM PATCH This Month

Linux kernel NFS subsystem fails to clean up /proc/net/rpc/nfs directory when nfs_fs_proc_net_init() encounters a memory allocation failure, causing a warning when rpc_proc_exit() later attempts to remove the non-empty parent directory. The vulnerability affects kernel versions 6.16-rc1 through 6.16-rc3 and likely earlier versions, and requires local privileges to trigger via fault injection or memory pressure. While marked as availability impact (DoS via kernel warning), the practical severity is limited as it primarily causes a procfs resource leak rather than direct system compromise.

Information Disclosure Google Linux Debian Linux Red Hat +1
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-38364 MEDIUM PATCH This Month

Null pointer dereference in Linux kernel maple_tree memory allocator causes denial of service when the MA_STATE_PREALLOC flag is incorrectly managed during node allocation requests. Local authenticated attackers can trigger this via memory operations that request large numbers of nodes, such as VMA merges during mmap_region() calls, leading to WARN_ON() messages followed by kernel crash. Affects Linux kernel versions including 6.16 release candidates and is confirmed patched in stable branches.

Denial Of Service Null Pointer Dereference Linux Debian Linux Red Hat +1
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-38393 MEDIUM PATCH This Month

Race condition in Linux kernel NFSv4/pNFS layout draining allows local authenticated users to trigger denial of service through system hangs in writeback operations. The vulnerability exists in pnfs_update_layout() where a waiter on the NFS_LAYOUT_DRAIN bit can race with the waker when plh_outstanding count reaches zero, causing threads to block indefinitely on page locks. Patch available from upstream kernel stable branches.

Race Condition Information Disclosure Linux Debian Linux Red Hat +1
NVD
CVSS 3.1
4.7
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy