Skip to main content
CVE-2013-10051 CRITICAL POC THREAT Emergency

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 75.8%.

PHP Code Injection RCE Instantcms
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
75.8%
Threat
5.6
CVE-2013-10055 CRITICAL POC THREAT Emergency

An unauthenticated arbitrary file upload vulnerability exists in Havalite CMS version 1.1.7 (and possibly earlier) in the upload.php script. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 73.5%.

PHP File Upload RCE
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
73.5%
Threat
5.6
CVE-2013-10047 CRITICAL POC THREAT Emergency

An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote attackers to upload arbitrary files to the server’s filesystem. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 61.8%.

File Upload Microsoft Windows
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
61.8%
Threat
5.2
CVE-2013-10060 CRITICAL POC THREAT Emergency

An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN2200B model) firmware versions 1.0.0.36 and prior via the pppoe.cgi endpoint. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 61.0%.

Netgear Command Injection Dgn2200B Firmware
NVD Exploit-DB
CVSS 4.0
9.4
EPSS
61.0%
Threat
5.2
CVE-2013-10048 CRITICAL POC THREAT Emergency

An OS command injection vulnerability exists in various legacy D-Link routers-including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)-due to improper input handling in the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 59.8%.

Command Injection PHP D-Link Dir 300 Firmware Dir 600 Firmware
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
59.8%
Threat
5.2
CVE-2013-10049 CRITICAL POC THREAT Emergency

An OS command injection vulnerability exists in multiple Raidsonic NAS devices-specifically tested on IB-NAS5220 and IB-NAS4220-via the unauthenticated timeHandler.cgi endpoint exposed through the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 51.4%.

Command Injection
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
51.4%
Threat
4.9
CVE-2025-5947 CRITICAL POC Act Now

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2025-50870 CRITICAL Act Now

Institute-of-Current-Students 1.0 is vulnerable to Incorrect Access Control in the mydetailsstudent.php endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass PHP Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-45150 CRITICAL Act Now

Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive files via supplying a crafted request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Langchain Chatglm Webui
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2019-19144 CRITICAL Act Now

XML External Entity Injection vulnerability in Quantum DXi6702 2.3.0.3 (11449-53631 Build304) devices via rest/Users?action=authenticate. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-41375 CRITICAL Act Now

SQL Injection vulnerability in Limesurvey v2.65.1+170522. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Limesurvey
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-52390 CRITICAL Act Now

Saurus CMS Community Edition since commit d886e5b0 (2010-04-23) is vulnerable to a SQL Injection vulnerability in the `prepareSearchQuery()` method in `FulltextSearch.class.php`. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-54792 CRITICAL POC PATCH Act Now

LocalSend is an open-source app to securely share files and messages with nearby devices over local networks without needing an internet connection. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Localsend
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-6000 CRITICAL POC PATCH This Week

A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Hashicorp Code Injection Vault Red Hat +1
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-54574 CRITICAL PATCH This Week

Squid is a caching proxy for the Web. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Heap Overflow Buffer Overflow RCE Squid Red Hat +1
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
3.0%
CVE-2025-50472 CRITICAL This Week

The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()`. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-50460 CRITICAL PATCH This Week

A remote code execution (RCE) vulnerability exists in the ms-swift project version 3.3.0 due to unsafe deserialization in tests/run.py using yaml.load() from the PyYAML library (versions = 5.3.1). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python RCE Deserialization
NVD GitHub
CVSS 3.1
9.8
EPSS
3.1%
CVE-2025-41371 CRITICAL This Week

A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Gandia Integra Total
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-41370 CRITICAL This Week

A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Gandia Integra Total
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-8454 CRITICAL PATCH This Week

It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jwt Attack Debian Devscripts Suse
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-5954 CRITICAL This Week

The Service Finder SMS System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy