Skip to main content
CVE-2025-57788 MEDIUM POC THREAT This Month

A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 83.1%.

Authentication Bypass Commvault
NVD
CVSS 4.0
6.9
EPSS
83.1%
Threat
5.4
CVE-2025-57790 HIGH POC THREAT Act Now

A security vulnerability has been identified that allows remote attackers to perform unauthorized file system access through a path traversal issue. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 49.6% and no vendor patch available.

RCE Path Traversal Commvault
NVD
CVSS 4.0
8.7
EPSS
49.6%
Threat
4.7
CVE-2012-10061 HIGH POC THREAT Act Now

Sockso Music Host Server versions <= 1.5 are vulnerable to a path traversal flaw that allows unauthenticated remote attackers to read arbitrary files from the server’s filesystem. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 51.6%.

Path Traversal
NVD GitHub Exploit-DB
CVSS 4.0
8.7
EPSS
51.6%
Threat
4.8
CVE-2025-57791 MEDIUM POC THREAT This Month

A security vulnerability has been identified that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 40.3% and no vendor patch available.

Code Injection Commvault
NVD
CVSS 4.0
6.9
EPSS
40.3%
Threat
4.1
CVE-2025-54726 CRITICAL POC Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Miguel Useche JS Archive List allows SQL Injection. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.9%
CVE-2025-51991 HIGH POC This Week

XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Information Disclosure Apache XSS Xwiki
NVD GitHub
CVSS 3.1
8.8
EPSS
1.9%
CVE-2025-48157 HIGH POC This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Michele Giorgi Formality allows PHP Local File Inclusion.5.9. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-57789 MEDIUM POC This Month

During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Commvault
NVD
CVSS 4.0
5.3
EPSS
7.4%
CVE-2025-48148 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress File Upload
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2025-53577 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS allows Remote Code Inclusion.1.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-49408 CRITICAL Act Now

The Templately WordPress plugin through version 3.2.7 exposes sensitive embedded data to remote unauthenticated attackers via network-accessible endpoints. Discovery by audit@patchstack.com (likely through their WordPress security audit program). Despite a critical CVSS 10.0 score reflecting network-accessible, unauthenticated exploitation with scope change, the EPSS score of 0.04% (13th percentile) indicates extremely low observed exploitation probability in the wild. No active exploitation confirmed by CISA KEV, and no public exploit code identified at time of analysis.

Information Disclosure
NVD
CVSS 3.1
10.0
EPSS
0.0%
CVE-2025-49410 CRITICAL Act Now

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC Testimonials allows Stored XSS.1.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
10.0
EPSS
0.0%
CVE-2025-53213 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping allows Using Malicious Files.3.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress File Upload
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-54049 CRITICAL Act Now

Incorrect Privilege Assignment vulnerability in miniOrange Custom API for WP allows Privilege Escalation.2.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-48169 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine allows Remote Code Inclusion.3.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-54014 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-53299 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeMakers ThemeMakers Visual Content Composer allows Object Injection.5.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-54713 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in magepeopleteam Taxi Booking Manager for WooCommerce allows Authentication Abuse.3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-53580 CRITICAL Act Now

Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro allows Privilege Escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49422 CRITICAL Act Now

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aelora iframe Wrapper allows DOM-Based XSS.1.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-49400 CRITICAL Act Now

Stored cross-site scripting in WP Visitor Statistics (Real Time Traffic) plugin versions ≤8.2 allows remote unauthenticated attackers to inject malicious scripts into the WordPress database, leading to credential theft, session hijacking, or administrative account compromise. Reported by Patchstack's security team with EPSS exploitation probability of only 0.03% (8th percentile), indicating extremely low observed exploitation likelihood despite the critical CVSS 9.8 rating. No CISA KEV listing or public POC identified at time of analysis.

XSS
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-49890 CRITICAL Act Now

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jorge Garcia de Bustos AWStats Script allows Stored XSS.3. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-49434 CRITICAL Act Now

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stijnvanderree Laposta WooCommerce allows Stored XSS.9.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-49409 CRITICAL Act Now

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brewlabs SensorPress allows Stored XSS.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-49381 CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in ads.txt Guru ads.txt Guru Connect allows Cross Site Request Forgery.txt Guru Connect: from n/a through 1.1.1. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-54048 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in miniOrange Custom API for WP allows SQL Injection.2.2. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-54677 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Using Malicious Files.5.3. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress File Upload
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-54007 HIGH This Week

Deserialization of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Object Injection.3.11. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-53560 HIGH This Week

Deserialization of Untrusted Data vulnerability in rascals Noisa allows Object Injection.6.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-54735 HIGH This Week

Incorrect Privilege Assignment vulnerability in Emraan Cheema CubeWP Framework allows Privilege Escalation.1.24. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-48165 HIGH This Week

Incorrect Privilege Assignment vulnerability in DELUCKS DELUCKS SEO allows Privilege Escalation.6.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-48164 HIGH This Week

Incorrect Privilege Assignment vulnerability in Brainstorm Force SureDash allows Privilege Escalation.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-48142 HIGH This Week

Incorrect Privilege Assignment vulnerability in Saad Iqbal Bookify allows Privilege Escalation.0.9. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-51990 MEDIUM POC This Month

XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Xwiki
NVD GitHub
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-49399 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Basix NEX-Forms allows Cross Site Request Forgery.1.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-49382 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in DexignZone JobZilla - Job Board WordPress Theme allows Privilege Escalation.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-5260 HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Pik Online Yazılım Çözümleri A.Ş. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF
NVD VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-48158 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field allows Path Traversal.0.1. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-53194 HIGH This Week

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Crocoblock JetEngine allows Code Injection.7.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Ssti Code Injection
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-49406 HIGH This Week

Missing Authorization vulnerability in favethemes Houzez allows Accessing Functionality Not Properly Constrained by ACLs.1.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-6181 HIGH This Week

The StrongDM Windows service incorrectly handled input validation. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Microsoft Privilege Escalation Windows
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-49891 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in riotweb Contact Info Widget allows Stored XSS.6.2. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-6182 HIGH This Week

The StrongDM Windows service incorrectly handled communication related to system certificate management. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Privilege Escalation Windows
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-6180 HIGH This Week

The StrongDM Client insufficiently protected a pre-authentication token. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2025-54031 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Schiocco Support Board allows PHP Local File Inclusion.8.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-53567 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nK Ghost Kit allows PHP Local File Inclusion.4.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-53565 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Widget for Google Reviews allows PHP Local File Inclusion.0.15. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI PHP Google Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-53207 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel WP Travel Gutenberg Blocks allows PHP Local File Inclusion.9.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-53204 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme eventlist allows PHP Local File Inclusion.9.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-53198 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in favethemes Houzez allows PHP Local File Inclusion.0.4. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
Page 1 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy