Skip to main content
CVE-2025-28170 HIGH POC This Week

Information disclosure in the Grandstream GXP1628 IP phone (firmware 1.0.4.130 and earlier) exposes sensitive directories and files because directory listing is enabled on the device web interface, letting attackers browse and retrieve files that should be protected. The flaw (CWE-548) can leak configuration data, credentials, or other sensitive artifacts stored on the device. Publicly available exploit code exists, though EPSS remains low at 0.31% (22nd percentile) and it is not listed in CISA KEV.

Authentication Bypass Gxp1628 Firmware
NVD GitHub
CVSS 3.1
7.6
EPSS
0.3%
CVE-2025-8264 HIGH PATCH This Week

SQL injection in Z-Push IMAP backend allows unauthenticated remote attackers to access, modify, or delete data in linked third-party databases via malicious username values in basic authentication headers. Exploitation requires non-default IMAP_FROM_SQL_QUERY configuration. Publicly available exploit code exists (GitHub PR #161 demonstrates the vulnerability). CVSS 7.9 with network attack vector and no authentication required, though attack complexity increases due to the specific configuration prerequisite. Affects Z-Push versions before 2.7.6.

PHP Information Disclosure SQLi
NVD GitHub
CVSS 4.0
7.9
EPSS
0.1%
CVE-2025-53711 HIGH This Week

A buffer overflow vulnerability exists in the web service of multiple TP-Link router models including TL-WR841N v11, TL-WR842ND v2, and TL-WR494N v3, caused by missing input validation in /userRpm/WlanNetworkRpm.htm. An unauthenticated remote attacker can exploit this to crash the web service and cause a denial-of-service condition. The vulnerability has a low exploitation likelihood with EPSS score of 0.06% and affects products that are no longer supported by TP-Link.

Buffer Overflow Denial Of Service TP-Link
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-6175 HIGH This Week

HTTP Request Splitting in DECE Software Geodi before GEODI Setup 9.0.146 allows remote unauthenticated attackers to inject CRLF sequences into HTTP requests, enabling cache poisoning, response splitting, and cross-site scripting against downstream consumers. The flaw is network-reachable with low attack complexity and no authentication, and Turkey's national CERT (USOM) issued advisory TR-25-0182 covering the issue. No public exploit identified at time of analysis and EPSS probability is low at 0.22% (45th percentile).

Code Injection
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy