ACT NOW
CVE-2025-31277
8.8
WebKit memory corruption in Safari 18.6 and multiple Apple platforms allows remote code execution when processing maliciously crafted web content, exploited in the wild as a zero-day.
|
EMERGENCY
CVE-2025-53770
9.8
Microsoft SharePoint Server contains a deserialization vulnerability allowing unauthenticated remote code execution over the network, with active exploitation confirmed and patches pending full release.
|
ACT NOW
CVE-2025-54068
9.8
Laravel Livewire v3 through v3.6.3 contains a critical remote code execution vulnerability (CVE-2025-54068, CVSS 9.8) that allows unauthenticated attackers to execute commands through improper hydration of component property updates. KEV-listed with EPSS 16%, this vulnerability affects one of the most popular PHP frameworks, potentially compromising thousands of Laravel applications using Livewire for reactive server-side rendering.
|
EMERGENCY
CVE-2020-36849
9.8
The AIT CSV Import/Export WordPress plugin through version 3.0.3 allows unauthorized arbitrary file uploads without file type validation. The upload handler in upload-handler.php is accessible without authentication, enabling remote attackers to deploy PHP webshells and achieve code execution on the WordPress server.
|
ACT NOW
CVE-2020-36848
7.5
The Total Upkeep WordPress backup plugin through version 1.14.9 exposes backup file locations via env-info.php and restore-info.json. Unauthenticated attackers can discover and download complete site backups containing the database, wp-config.php with credentials, and all uploaded files.
|
ACT NOW
CVE-2020-36847
9.8
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulnerability. Attackers can upload PHP files disguised with image extensions and then rename them back to .php using the plugin's built-in rename functionality, bypassing all upload restrictions.
|
EMERGENCY
CVE-2025-34102
9.3
CryptoLog PHP edition (discontinued since 2009) contains a chained SQL injection and command injection vulnerability. An unauthenticated attacker can first bypass authentication via SQLi in login.php, then exploit command injection to gain shell access as the web server user.
|
EMERGENCY
CVE-2025-34101
9.3
Serviio Media Server versions 1.4 through 1.8 on Windows contain an unauthenticated command injection in the /rest/action API endpoint. The checkStreamUrl method passes the VIDEO parameter directly to cmd.exe without sanitization, enabling remote code execution on the media server.
|
EMERGENCY
CVE-2025-34100
9.3
BuilderEngine 3.5.0 contains a critical unrestricted file upload vulnerability in its elFinder 2.0 integration and jQuery File Upload plugin, allowing unauthenticated attackers to upload and execute arbitrary PHP files on the server, resulting in complete remote code execution (RCE) under the web server process context. The vulnerability is characterized by a CVSS 9.3 score with no authentication or user interaction required, making it immediately exploitable across network boundaries.
|
EMERGENCY
CVE-2025-34099
9.3
VICIdial call center software versions 2.9 RC1 through 2.13 RC1 contain an unauthenticated command injection in vicidial_sales_viewer.php when password encryption is enabled. The HTTP Basic Authentication password is passed directly to OS commands without sanitization, enabling remote code execution on the call center server.
|
ACT NOW
CVE-2025-34098
7.1
A path traversal vulnerability in Riverbed SteelHead VCX appliances allows authenticated users to retrieve arbitrary system files through improper input validation in the log filtering functionality. The vulnerability affects VCX255U running version 9.6.0a and potentially other VCX models, enabling authenticated attackers to bypass access controls and read sensitive system files via crafted filter expressions. With a CVSS score of 7.1 and authentication requirement, this represents a significant confidentiality risk for organizations running affected appliances, though exploitation requires valid credentials.
|
ACT NOW
CVE-2025-34097
8.6
ProcessMaker BPM platform versions prior to 3.5.4 contain an unrestricted file upload vulnerability in the plugin installation mechanism. An admin can upload a malicious .tar plugin containing arbitrary PHP code that executes during the plugin's install() method, achieving remote code execution on the workflow automation server.
|
EMERGENCY
CVE-2025-34096
9.3
Easy File Sharing HTTP Server version 7.2 contains a stack-based buffer overflow triggered by an oversized Email parameter in POST requests to /sendemail.ghp. Unauthenticated attackers can exploit this for remote code execution on the Windows server.
|
EMERGENCY
CVE-2025-34095
9.3
Mako Server versions 2.5 and 2.6 contain an unauthenticated OS command injection via the tutorial interface at examples/save.lsp. Attackers can send crafted PUT requests with arbitrary Lua os.execute() code that is persisted on disk and executed, achieving remote code execution on the embedded web server.
|
ACT NOW
CVE-2025-34093
7.5
Polycom HDX Series video conferencing systems contain an authenticated command injection in the LAN traceroute function. The devcmds console accessible over Telnet allows injection of shell metacharacters through the traceroute target parameter, enabling arbitrary command execution on the conferencing endpoint.
|
EMERGENCY
CVE-2025-47812
10.0
Wing FTP Server before 7.4.4 contains a critical remote code execution vulnerability (CVE-2025-47812, CVSS 10.0) through null byte injection in user/admin web interfaces that enables arbitrary Lua code execution in session files. With EPSS 92.7% and KEV listing, this vulnerability guarantees unauthenticated root/SYSTEM code execution on affected servers, as the FTP service runs with maximum privileges by default.
|
EMERGENCY
CVE-2025-34077
10.0
The Pie Register WordPress plugin versions up to 3.7.1.4 contain an authentication bypass that allows unauthenticated attackers to log in as any user including administrators. By submitting a crafted POST request with social_site=true and a target user_id_social_site value, attackers generate valid WordPress sessions for arbitrary accounts.
|
ACT NOW
CVE-2025-48384
8.0
Git contains a CRLF injection vulnerability (CVE-2025-48384, CVSS 8.0) in its config handling that allows attackers to escape header lines and modify config values. KEV-listed, this vulnerability in the world's most widely used version control system enables config injection attacks that could lead to arbitrary code execution through Git hooks, credential theft, or repository manipulation.
|
ACT NOW
CVE-2025-49704
8.8
Microsoft Office SharePoint contains a code injection vulnerability (CVE-2025-49704, CVSS 8.8) enabling authenticated attackers to execute arbitrary code over the network. KEV-listed with EPSS 63.8%, this vulnerability requires only basic SharePoint authentication and enables server-level code execution, threatening the documents, workflows, and data stored across the organization's SharePoint infrastructure.
|
ACT NOW
CVE-2025-32023
7.0
Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.
|
ACT NOW
CVE-2025-6793
9.4
Marvell QConvergeConsole QLogicDownloadImpl Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability. This vulnerability allows remote attackers to delete arbitrary files and disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the QLogicDownloadImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files and disclose information in the context of SYSTEM. Was ZDI-CAN-24912.
|
ACT NOW
CVE-2025-34088
8.8
An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.
|
ACT NOW
CVE-2025-34087
8.8
Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When adding a domain, the domain parameter is passed to OS commands without sanitization, allowing administrators to execute arbitrary commands with the Pi-hole daemon's privileges.
|
ACT NOW
CVE-2025-34086
8.8
Pandora FMS monitoring platform version 7.0NG and earlier contains an authenticated command injection in the net_tools.php functionality. The select_ips parameter is passed to OS commands without sanitization when performing ping operations, allowing authenticated users to execute arbitrary commands on the monitoring server.
|
ACT NOW
CVE-2025-34079
7.8
An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise.
This capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors.
|
ACT NOW
CVE-2025-34076
7.2
An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.
|
Today's Vulnerabilities Vulnerabilities
Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.
CVEs published in review
Get CVEs that hit your stack — not 200/day
Pick your technologies, get a weekly digest by email. Free, no spam.
React
Python
Postgres
+200 more
React
Next.js
Python
Postgres
AWS
+200 more
Trending Now
See all
Critical Watch
See all
KEV
POC
CVSS
No critical watch entries today
Attack Technique Trend
Prediction based on ZDI Disclosures & CVE data
· 30 days
Vendor Today – Quick Filter
Techniques
POC
CISA KEV
PATCH
UNPATCHED
results
Sort:
Base Score
Vector String
Attack Vector (AV)
Attack Complexity (AC)
Privileges Required (PR)
User Interaction (UI)
Scope (S)
Confidentiality (C)
Integrity (I)
Availability (A)
0
|
3.9|
6.9|
8.9|
10
NONE
LOW
MEDIUM
HIGH
CRITICAL
CVSS Filter
– CVEs match
No CVEs match the selected criteria
Loading...
Incoming
20
Pre-NVD – not yet scored
No vulnerabilities found for this date.
Data may not have been fetched yet.
Live Feed
auto-refresh 60s
Track CVEs for your stack
Sign up free →