THREAT ALERT

ACT NOW CVE-2025-8088 8.4 WinRAR for Windows contains a path traversal vulnerability allowing crafted archives to execute arbitrary code, discovered by ESET and exploited in the wild for targeted attacks. | EMERGENCY CVE-2025-54253 10.0 Adobe Experience Manager versions 6.5.23 and earlier contain a misconfiguration vulnerability enabling unauthenticated remote code execution with changed scope (CVSS 10.0). | ACT NOW CVE-2025-54948 9.4 Trend Micro Apex One on-premise management console allows pre-authenticated remote attackers to upload malicious code and execute commands, enabling complete server compromise. | ACT NOW CVE-2025-6205 9.1 DELMIA Apriso contains a missing authorization vulnerability allowing attackers to gain privileged access to the manufacturing execution system application. | ACT NOW CVE-2025-6204 8.0 DELMIA Apriso from Release 2020 through 2025 contains a code injection vulnerability allowing attackers to execute arbitrary code on the manufacturing execution system. | ACT NOW CVE-2025-54782 9.4 Nest is a framework for building scalable Node.js server-side applications. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 22.1%. | ACT NOW CVE-2025-31277 8.8 WebKit memory corruption in Safari 18.6 and multiple Apple platforms allows remote code execution when processing maliciously crafted web content, exploited in the wild as a zero-day. | EMERGENCY CVE-2025-53770 9.8 Microsoft SharePoint Server contains a deserialization vulnerability allowing unauthenticated remote code execution over the network, with active exploitation confirmed and patches pending full release. | ACT NOW CVE-2025-54068 9.8 Laravel Livewire v3 through v3.6.3 contains a critical remote code execution vulnerability (CVE-2025-54068, CVSS 9.8) that allows unauthenticated attackers to execute commands through improper hydration of component property updates. KEV-listed with EPSS 16%, this vulnerability affects one of the most popular PHP frameworks, potentially compromising thousands of Laravel applications using Livewire for reactive server-side rendering. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — August 13, 2025

125 CVEs tracked today. 15 Critical, 54 High, 54 Medium, 2 Low.

CVE-2025-54382 CRITICAL CVSS 9.6
Cherry Studio is a desktop client that supports for multiple LLM providers. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE Cherry Studio
CVE-2025-50251 CRITICAL CVSS 9.1
Server side request forgery (SSRF) vulnerability in makeplane plane 0.23.1 via the password recovery. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF
CVE-2025-8913 CRITICAL CVSS 9.3
Organization Portal System developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Lfi PHP RCE Organization Portal System
CVE-2025-7384 CRITICAL CVSS 9.8
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP Deserialization RCE Denial Of Service
CVE-2025-52385 CRITICAL CVSS 9.8
An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
CVE-2025-51452 CRITICAL CVSS 9.8
In TOTOLINK A7000R firmware 9.1.0u.6115_B20201022, an attacker can bypass login by sending a specific request through formLoginAuth.htm. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass A7000r Firmware TOTOLINK
CVE-2025-51451 CRITICAL CVSS 9.8
In TOTOLINK EX1200T firmware 4.1.2cu.5215, an attacker can bypass login by sending a specific request through formLoginAuth.htm. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ex1200t Firmware TOTOLINK
CVE-2025-50594 CRITICAL CVSS 9.8
An issue was discovered in /Code/Websites/DanpheEMR/Controllers/Settings/SecuritySettingsController.cs in Danphe Health Hospital Management System EMR 3.2 allowing attackers to reset any account. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-43986 CRITICAL CVSS 9.8
An issue was discovered on KuWFi GC111 GC111-GL-LM321_V3.0_20191211 devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-43982 CRITICAL CVSS 9.8
Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices enable the SSH service by default. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-34154 CRITICAL CVSS 9.2
UnForm Server Manager versions prior to 10.1.12 expose an unauthenticated file read vulnerability via its log file analysis interface. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
CVE-2025-34153 CRITICAL CVSS 10.0
Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
CVE-2025-8904 CRITICAL CVSS 9.0
Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation
CVE-2025-8760 CRITICAL CVSS 9.3
A vulnerability was identified in INSTAR 2K+ and 4K 3.11.1 Build 1124. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow
CVE-2025-6715 CRITICAL CVSS 9.8
The LatePoint WordPress plugin before 5.1.94 is vulnerable to Local File Inclusion via the layout parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP Information Disclosure
CVE-2025-55345 HIGH CVSS 8.8
Using Codex CLI in workspace-write mode inside a malicious context (repo, directory, etc) could lead to arbitrary file overwrite and potentially remote code execution due to symlinks being followed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE
CVE-2025-55196 HIGH CVSS 7.1
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Information Disclosure Kubernetes Suse
CVE-2025-55163 HIGH CVSS 8.2
Netty is an asynchronous, event-driven network application framework. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Netty Redhat Suse
CVE-2025-55154 HIGH CVSS 8.8
ImageMagick is free and open-source software used for editing and manipulating digital images. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Integer Overflow Imagemagick Redhat Suse
CVE-2025-55004 HIGH CVSS 7.6
ImageMagick is free and open-source software used for editing and manipulating digital images. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Heap Overflow Buffer Overflow Imagemagick Redhat Suse
CVE-2025-54809 HIGH CVSS 8.8
F5 Access for Android before version 3.1.2 which uses HTTPS does not verify the remote endpoint identity. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google Information Disclosure F5 Access Android
CVE-2025-54464 HIGH CVSS 7.0
This vulnerability exists in ZKTeco WL20 due to storage of admin and user credentials without encryption in the device firmware. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-54074 HIGH CVSS 7.7
Cherry Studio is a desktop client that supports for multiple LLM providers. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Cherry Studio
CVE-2025-52585 HIGH CVSS 8.7
When a BIG-IP LTM Client SSL profile is configured on a virtual server with SSL Forward Proxy enabled and Anonymous Diffie-Hellman (ADH) ciphers enabled, undisclosed requests can cause the Traffic. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Null Pointer Dereference Big Ip Access Policy Manager Big Ip Advanced Firewall Manager Big Ip Advanced Web Application Firewall
CVE-2025-50635 HIGH CVSS 7.5
A null pointer dereference vulnerability was discovered in Netis WF2780 v2.2.35445. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Null Pointer Dereference Wf2780 Firmware
CVE-2025-50617 HIGH CVSS 7.5
A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_0046ed68 function of the cgitest.cgi file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Heap Overflow Denial Of Service Buffer Overflow Wf2880 Firmware
CVE-2025-50616 HIGH CVSS 7.5
A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_0046f984 function of the cgitest.cgi file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Wf2880 Firmware
CVE-2025-50615 HIGH CVSS 7.5
A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_00470c50 function of the cgitest.cgi file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Wf2880 Firmware
CVE-2025-50614 HIGH CVSS 7.5
A buffer overflow vulnerability has been discovered in the Netis WF2880 v2.1.40207 in the FUN_0047151c function of the cgitest.cgi file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Wf2880 Firmware
CVE-2025-50613 HIGH CVSS 7.5
A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_00475e1c function of the cgitest.cgi file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Wf2880 Firmware
CVE-2025-50612 HIGH CVSS 7.5
A buffer overflow vulnerability has been discovered in the Netis WF2880 v2.1.40207 in the FUN_004743f8 function of the cgitest.cgi file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Wf2880 Firmware
CVE-2025-50611 HIGH CVSS 7.5
A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_00473154 function of the cgitest.cgi file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Wf2880 Firmware
CVE-2025-50610 HIGH CVSS 7.5
A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_00476598 function of the cgitest.cgi file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Wf2880 Firmware
CVE-2025-50609 HIGH CVSS 7.5
A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the Function_00465620 of the cgitest.cgi file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Wf2880 Firmware
CVE-2025-50608 HIGH CVSS 7.5
A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_00471994 function of the cgitest.cgi file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Wf2880 Firmware
CVE-2025-48989 HIGH CVSS 7.5
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Apache Redhat Suse
CVE-2025-48500 HIGH CVSS 7.0
A missing file integrity check vulnerability exists on MacOS F5 VPN browser client installer that may allow a local, authenticated attacker with access to the local file system to replace it with a. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.

Apple Information Disclosure Big Ip Access Policy Manager Big Ip Access Policy Manager Client macOS
CVE-2025-46405 HIGH CVSS 8.7
When Network Access is configured on a BIG-IP APM virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Stack Overflow Big Ip Access Policy Manager
CVE-2025-43988 HIGH CVSS 7.5
KuWFi 5G01-X55 FL2020_V0.0.12 devices expose an unauthenticated API endpoint (ajax_get.cgi), allowing remote attackers to retrieve sensitive configuration data, including admin credentials. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-32451 HIGH CVSS 8.8
A memory corruption vulnerability exists in Foxit Reader 2025.1.0.27937 due to the use of an uninitialized pointer. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow RCE Pdf Reader
CVE-2025-23306 HIGH CVSS 7.8
NVIDIA Megatron-LM for all platforms contains a vulnerability in the megatron/training/ arguments.py component where an attacker could cause a code injection issue by providing a malicious input. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Megatron Lm
CVE-2025-23305 HIGH CVSS 7.8
NVIDIA Megatron-LM for all platforms contains a vulnerability in the tools component, where an attacker may exploit a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Megatron Lm
CVE-2025-23304 HIGH CVSS 7.8
NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by loading .nemo files with maliciously crafted metadata. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Path Traversal Nemo
CVE-2025-23303 HIGH CVSS 7.8
NVIDIA NeMo Framework for all platforms contains a vulnerability where a user could cause a deserialization of untrusted data by remote code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Deserialization Nvidia Nemo
CVE-2025-23298 HIGH CVSS 7.8
NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Nvidia RCE Python Information Disclosure
CVE-2025-23296 HIGH CVSS 7.8
NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Nvidia RCE Python Information Disclosure
CVE-2025-23295 HIGH CVSS 7.8
NVIDIA Apex for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue by providing a malicious file. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Nvidia RCE Python Information Disclosure
CVE-2025-23294 HIGH CVSS 7.8
NVIDIA WebDataset for all platforms contains a vulnerability where an attacker could execute arbitrary code with elevated permissions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Nvidia RCE Denial Of Service Information Disclosure
CVE-2025-8941 HIGH CVSS 7.8
A flaw was found in linux-pam. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Path Traversal Redhat Suse
CVE-2025-8914 HIGH CVSS 7.1
Organization Portal System developed by WellChoose has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Organization Portal System
CVE-2025-8912 HIGH CVSS 8.7
Organization Portal System developed by WellChoose has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Organization Portal System
CVE-2025-8909 HIGH CVSS 7.1
Organization Portal System developed by WellChoose has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Organization Portal System
CVE-2025-8907 HIGH CVSS 7.3
A vulnerability was found in H3C M2 NAS V100R006. Rated high severity (CVSS 7.3). No vendor patch available.

Privilege Escalation
CVE-2025-8901 HIGH CVSS 8.8
Out of bounds write in ANGLE in Google Chrome prior to 139.0.7258.127 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Google Chrome Suse
CVE-2025-8882 HIGH CVSS 8.8
Use after free in Aura in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Google Denial Of Service Use After Free Chrome
CVE-2025-8880 HIGH CVSS 8.8
Race in V8 in Google Chrome prior to 139.0.7258.127 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Google Race Condition Chrome Suse
CVE-2025-8879 HIGH CVSS 8.8
Heap buffer overflow in libaom in Google Chrome prior to 139.0.7258.127 allowed a remote attacker to potentially exploit heap corruption via a curated set of gestures. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow Google Chrome Suse
CVE-2025-8762 HIGH CVSS 7.0
A vulnerability was found in INSTAR 2K+ and 4K 3.11.1 Build 1124. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-8761 HIGH CVSS 7.7
A vulnerability has been found in INSTAR 2K+ and 4K 3.11.1 Build 1124. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
CVE-2025-8754 HIGH CVSS 8.7
Missing Authentication for Critical Function vulnerability in ABB ABB AbilityTM zenon.50 through 14. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Abb
CVE-2025-8671 HIGH CVSS 7.5
A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Suse
CVE-2025-7739 HIGH CVSS 8.7
An issue has been discovered in GitLab CE/EE affecting all versions from 18.2 before 18.2.2 that, under certain conditions, could have allowed authenticated users to achieve stored cross-site. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab XSS
CVE-2025-7734 HIGH CVSS 8.7
An issue has been discovered in GitLab CE/EE affecting all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2 that, under certain conditions, could have allowed a successful. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab XSS
CVE-2025-6186 HIGH CVSS 8.7
An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to achieve account takeover by. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab XSS
CVE-2025-6184 HIGH CVSS 8.8
The Tutor LMS Pro - eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter used in the get_submitted_assignments() function in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
CVE-2025-4410 HIGH CVSS 7.5
A buffer overflow vulnerability exists in the module SetupUtility. Rated high severity (CVSS 7.5). No vendor patch available.

Buffer Overflow RCE
CVE-2025-4277 HIGH CVSS 7.5
Tcg2Smm has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level. Rated high severity (CVSS 7.5). No vendor patch available.

RCE
CVE-2025-4276 HIGH CVSS 7.5
UsbCoreDxe has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level. Rated high severity (CVSS 7.5). No vendor patch available.

RCE
CVE-2024-5477 HIGH CVSS 7.3
A potential security vulnerability has been identified in the System BIOS for some HP PC products which may allow escalation of privilege, arbitrary code execution, denial of service, or information. Rated high severity (CVSS 7.3), this vulnerability is no authentication required. No vendor patch available.

Hp RCE Denial Of Service Privilege Escalation Information Disclosure
CVE-2025-55668 MEDIUM CVSS 6.5
Session Fixation vulnerability in Apache Tomcat via rewrite valve.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Session Fixation Apache Redhat
CVE-2025-55280 MEDIUM CVSS 5.2
This vulnerability exists in ZKTeco WL20 due to storage of Wi-Fi credentials, configuration data and system data in plaintext within the device firmware. Rated medium severity (CVSS 5.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-55279 MEDIUM CVSS 6.9
This vulnerability exists in ZKTeco WL20 due to hard-coded private key stored in plaintext within the device firmware. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Information Disclosure
CVE-2025-55197 MEDIUM CVSS 6.6
pypdf is a free and open-source pure-python PDF library. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Python Pypdf Redhat Suse
CVE-2025-55194 MEDIUM CVSS 5.7
Part-DB is an open source inventory management system for electronic components. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Part Db
CVE-2025-55160 MEDIUM CVSS 6.1
ImageMagick is free and open-source software used for editing and manipulating digital images. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Imagemagick Redhat Suse
CVE-2025-55005 MEDIUM CVSS 5.5
ImageMagick is free and open-source software used for editing and manipulating digital images. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Heap Overflow Buffer Overflow Imagemagick Redhat Suse
CVE-2025-54791 MEDIUM CVSS 5.3
OMERO.web provides a web based client and plugin infrastructure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Omero Web
CVE-2025-54500 MEDIUM CVSS 6.9
An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Big Ip Access Policy Manager Big Ip Advanced Firewall Manager Big Ip Advanced Web Application Firewall Big Ip Analytics
CVE-2025-54465 MEDIUM CVSS 6.8
This vulnerability exists in ZKTeco WL20 due to hard-coded MQTT credentials and endpoints stored in plaintext within the device firmware. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-53859 MEDIUM CVSS 6.3
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Nginx Information Disclosure Nginx Plus Nginx Open Source
CVE-2025-52392 MEDIUM CVSS 5.4
Soosyze CMS 2.0 allows brute-force login attacks via the /user/login endpoint due to missing rate-limiting and lockout mechanisms. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass
CVE-2025-52386 MEDIUM CVSS 5.4
CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
CVE-2025-51691 MEDIUM CVSS 6.1
Cross-Site Scripting (XSS) vulnerability found in MarkTwo commit e3a1d3f90cce4ea9c26efcbbf3a1cbfb9dcdb298 (May 2025) allows a remote attacker to execute arbitrary code via a crafted script input to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS
CVE-2025-50946 MEDIUM CVSS 6.5
OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Olivetin Suse
CVE-2025-50690 MEDIUM CVSS 6.1
A Cross-Site Scripting (XSS) vulnerability exists in SpatialReference.org (OSGeo/spatialreference.org) versions prior to 2025-05-17 (commit 2120adfa17ddd535bd0f539e6c4988fa3a2cb491). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-45317 MEDIUM CVSS 6.5
A zip slip vulnerability in the /modules/ImportModule.php component of hortusfox-web v4.4 allows attackers to execute arbitrary code via a crafted archive. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP RCE Hortusfox
CVE-2025-45316 MEDIUM CVSS 6.1
A cross-site scripting (XSS) vulnerability in the TextBlockModule.php component of hortusfox-web v4.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Hortusfox
CVE-2025-45315 MEDIUM CVSS 5.4
A cross-site scripting (XSS) vulnerability in the /controller/admin.php endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Hortusfox
CVE-2025-45314 MEDIUM CVSS 6.1
A cross-site scripting (XSS) vulnerability in the /Calendar endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Hortusfox
CVE-2025-45313 MEDIUM CVSS 6.1
A cross-site scripting (XSS) vulnerability in the /tasks endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Hortusfox
CVE-2025-43989 MEDIUM CVSS 6.5
The /goform/formJsonAjaxReq POST endpoint of Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices mishandles the set_timesetting action with the ntpserver0 parameter, which is used in a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Command Injection
CVE-2025-8929 MEDIUM CVSS 5.3
A vulnerability has been found in code-projects Medical Store Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Medical Store Management System
CVE-2025-8928 MEDIUM CVSS 5.3
A vulnerability was identified in code-projects Medical Store Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java SQLi Medical Store Management System
CVE-2025-8927 MEDIUM CVSS 6.3
A vulnerability was determined in mtons mblog up to 3.5.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Mblog
CVE-2025-8926 MEDIUM CVSS 6.9
A vulnerability was found in SourceCodester COVID 19 Testing Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Covid19 Testing Management System
CVE-2025-8925 MEDIUM CVSS 6.9
A vulnerability has been found in itsourcecode Sports Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Sports Management System
CVE-2025-8924 MEDIUM CVSS 6.9
A vulnerability was identified in Campcodes Online Water Billing System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Online Water Billing System
CVE-2025-8923 MEDIUM CVSS 6.9
A vulnerability was determined in code-projects Job Diary 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Job Diary
CVE-2025-8922 MEDIUM CVSS 6.9
A vulnerability was found in code-projects Job Diary 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Job Diary
CVE-2025-8921 MEDIUM CVSS 6.9
A vulnerability has been found in code-projects Job Diary 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Job Diary
CVE-2025-8920 MEDIUM CVSS 4.8
A vulnerability was identified in Portabilis i-Diario 1.6. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS I Diario
CVE-2025-8919 MEDIUM CVSS 4.8
A vulnerability was determined in Portabilis i-Diario up to 1.6. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS I Diario
CVE-2025-8918 MEDIUM CVSS 4.8
A vulnerability was found in Portabilis i-Educar up to 2.10.php of the component Editar Page. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS I Educar
CVE-2025-8916 MEDIUM CVSS 6.3
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Java Redhat Suse
CVE-2025-8911 MEDIUM CVSS 5.3
Organization Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Organization Portal System
CVE-2025-8910 MEDIUM CVSS 5.3
Organization Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Organization Portal System
CVE-2025-8908 MEDIUM CVSS 5.3
A vulnerability was determined in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.5.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi Lingdang Crm
CVE-2025-8891 MEDIUM CVSS 4.3
The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress CSRF Oceanwp PHP
CVE-2025-8881 MEDIUM CVSS 6.5
Inappropriate implementation in File Picker in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Chrome Suse
CVE-2025-8770 MEDIUM CVSS 6.5
An issue has been discovered in GitLab EE affecting all versions from 18.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that could have allowed authenticated users with specific. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Gitlab
CVE-2025-8491 MEDIUM CVSS 4.3
The Easy restaurant menu manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
CVE-2025-5819 MEDIUM CVSS 5.0
An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
CVE-2025-2937 MEDIUM CVSS 6.5
An issue has been discovered in GitLab CE/EE affecting all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to create a denial. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
CVE-2025-2614 MEDIUM CVSS 6.5
An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an authenticated user to cause a denial. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
CVE-2025-2184 MEDIUM CVSS 5.3
A credential management flaw in Palo Alto Networks Cortex XDR® Broker VM causes different Broker VM images to share identical default credentials for internal services. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Paloalto Information Disclosure
CVE-2025-2183 MEDIUM CVSS 5.3
An insufficient certificate validation issue in the Palo Alto Networks GlobalProtect™ app enables attackers to connect the GlobalProtect app to arbitrary servers. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Paloalto Information Disclosure
CVE-2025-2182 MEDIUM CVSS 5.6
A problem with the implementation of the MACsec protocol in Palo Alto Networks PAN-OS® results in the cleartext exposure of the connectivity association key (CAK). Rated medium severity (CVSS 5.6), this vulnerability is low attack complexity. No vendor patch available.

Paloalto Information Disclosure
CVE-2025-2181 MEDIUM CVSS 5.9
A sensitive information disclosure vulnerability in Palo Alto Networks Checkov by Prisma® Cloud can result in the cleartext exposure of Prisma Cloud access keys in Checkov's output. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Paloalto Information Disclosure
CVE-2025-2180 MEDIUM CVSS 4.8
An unsafe deserialization vulnerability in Palo Alto Networks Checkov by Prisma® Cloud allows an authenticated user to execute arbitrary code as a non administrative user by scanning a malicious. Rated medium severity (CVSS 4.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Paloalto RCE Deserialization Hashicorp
CVE-2025-1477 MEDIUM CVSS 6.5
An issue has been discovered in GitLab CE/EE affecting all versions from 8.14 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an unauthenticated user to create a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
CVE-2025-0818 MEDIUM CVSS 6.5
Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress Path Traversal PHP
CVE-2024-12303 MEDIUM CVSS 6.7
An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated. Rated medium severity (CVSS 6.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
CVE-2024-10219 MEDIUM CVSS 6.5
An issue has been discovered in GitLab CE/EE affecting all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Gitlab
CVE-2025-55193 LOW CVSS 2.7
Active Record connects classes to relational database tables. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-2498 LOW CVSS 3.1
An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Gitlab

Today's Vulnerabilities Vulnerabilities