Skip to main content
CVE-2012-10054 CRITICAL POC PATCH THREAT Act Now

Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 75.9%.

RCE Path Traversal Umbraco Cms
NVD GitHub Exploit-DB
CVSS 4.0
9.3
EPSS
75.9%
Threat
5.6
CVE-2012-10060 CRITICAL POC THREAT Emergency

Sysax Multi Server versions prior to 5.55 contains a stack-based buffer overflow in its SSH service. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 69.1%.

Buffer Overflow Stack Overflow RCE
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
69.1%
Threat
5.4
CVE-2012-10055 CRITICAL POC THREAT Emergency

ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 58.9%.

RCE
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
58.9%
Threat
5.1
CVE-2012-10058 CRITICAL POC THREAT Emergency

RabidHamster R4 v1.25 contains a stack-based buffer overflow vulnerability due to unsafe use of sprintf() when logging malformed HTTP requests. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 54.7%.

Buffer Overflow Stack Overflow RCE
NVD Exploit-DB
CVSS 4.0
10.0
EPSS
54.7%
Threat
5.1
CVE-2012-10059 CRITICAL POC THREAT Emergency

Dolibarr ERP/CRM versions <= 3.1.1 and <= 3.2.0 contain a post-authenticated OS command injection vulnerability in its database backup feature. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 43.6%.

Command Injection PHP RCE
NVD Exploit-DB
CVSS 4.0
9.4
EPSS
43.6%
Threat
4.7
CVE-2025-7384 CRITICAL Act Now

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP Deserialization RCE Denial Of Service
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2025-51451 CRITICAL Act Now

In TOTOLINK EX1200T firmware 4.1.2cu.5215, an attacker can bypass login by sending a specific request through formLoginAuth.htm. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ex1200t Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-51452 CRITICAL Act Now

In TOTOLINK A7000R firmware 9.1.0u.6115_B20201022, an attacker can bypass login by sending a specific request through formLoginAuth.htm. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass A7000r Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-8913 CRITICAL Act Now

Organization Portal System developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP RCE Organization Portal System
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2025-8904 CRITICAL Act Now

Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation
NVD GitHub
CVSS 4.0
9.0
EPSS
0.0%
CVE-2025-34154 CRITICAL This Week

UnForm Server Manager versions prior to 10.1.12 expose an unauthenticated file read vulnerability via its log file analysis interface. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD GitHub
CVSS 4.0
9.2
EPSS
0.2%
CVE-2025-43986 CRITICAL This Week

An issue was discovered on KuWFi GC111 GC111-GL-LM321_V3.0_20191211 devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-43982 CRITICAL This Week

Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices enable the SSH service by default. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-52385 CRITICAL This Week

An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-50594 CRITICAL This Week

An issue was discovered in /Code/Websites/DanpheEMR/Controllers/Settings/SecuritySettingsController.cs in Danphe Health Hospital Management System EMR 3.2 allowing attackers to reset any account. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-34153 CRITICAL This Week

Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD GitHub
CVSS 4.0
10.0
EPSS
1.2%
CVE-2025-50251 CRITICAL POC Act Now

Server side request forgery (SSRF) vulnerability in makeplane plane 0.23.1 via the password recovery. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF
NVD Exploit-DB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-54382 CRITICAL POC Act Now

Cherry Studio is a desktop client that supports for multiple LLM providers. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection RCE Cherry Studio
NVD GitHub
CVSS 3.1
9.6
EPSS
0.4%
CVE-2025-8760 CRITICAL This Week

A vulnerability was identified in INSTAR 2K+ and 4K 3.11.1 Build 1124. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow
NVD VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-6715 CRITICAL This Week

The LatePoint WordPress plugin before 5.1.94 is vulnerable to Local File Inclusion via the layout parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP Information Disclosure
NVD WPScan
CVSS 3.1
9.8
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy