Skip to main content
CVE-2025-54726 CRITICAL POC Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Miguel Useche JS Archive List allows SQL Injection. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.9%
CVE-2025-48148 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress File Upload
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2025-53577 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS allows Remote Code Inclusion.1.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-49408 CRITICAL Act Now

The Templately WordPress plugin through version 3.2.7 exposes sensitive embedded data to remote unauthenticated attackers via network-accessible endpoints. Discovery by audit@patchstack.com (likely through their WordPress security audit program). Despite a critical CVSS 10.0 score reflecting network-accessible, unauthenticated exploitation with scope change, the EPSS score of 0.04% (13th percentile) indicates extremely low observed exploitation probability in the wild. No active exploitation confirmed by CISA KEV, and no public exploit code identified at time of analysis.

Information Disclosure
NVD
CVSS 3.1
10.0
EPSS
0.0%
CVE-2025-49410 CRITICAL Act Now

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC Testimonials allows Stored XSS.1.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
10.0
EPSS
0.0%
CVE-2025-53213 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping allows Using Malicious Files.3.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress File Upload
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-54049 CRITICAL Act Now

Incorrect Privilege Assignment vulnerability in miniOrange Custom API for WP allows Privilege Escalation.2.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-48169 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine allows Remote Code Inclusion.3.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-54014 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-53299 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeMakers ThemeMakers Visual Content Composer allows Object Injection.5.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-54713 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in magepeopleteam Taxi Booking Manager for WooCommerce allows Authentication Abuse.3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-53580 CRITICAL Act Now

Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro allows Privilege Escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49422 CRITICAL Act Now

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aelora iframe Wrapper allows DOM-Based XSS.1.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-49400 CRITICAL Act Now

Stored cross-site scripting in WP Visitor Statistics (Real Time Traffic) plugin versions ≤8.2 allows remote unauthenticated attackers to inject malicious scripts into the WordPress database, leading to credential theft, session hijacking, or administrative account compromise. Reported by Patchstack's security team with EPSS exploitation probability of only 0.03% (8th percentile), indicating extremely low observed exploitation likelihood despite the critical CVSS 9.8 rating. No CISA KEV listing or public POC identified at time of analysis.

XSS
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-49890 CRITICAL Act Now

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jorge Garcia de Bustos AWStats Script allows Stored XSS.3. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-49434 CRITICAL Act Now

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stijnvanderree Laposta WooCommerce allows Stored XSS.9.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-49409 CRITICAL Act Now

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brewlabs SensorPress allows Stored XSS.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-49381 CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in ads.txt Guru ads.txt Guru Connect allows Cross Site Request Forgery.txt Guru Connect: from n/a through 1.1.1. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-54048 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in miniOrange Custom API for WP allows SQL Injection.2.2. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-54677 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Using Malicious Files.5.3. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress File Upload
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-9288 CRITICAL POC PATCH Act Now

Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.js: through 2.4.11. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Sha Js Red Hat Suse
NVD GitHub
CVSS 4.0
9.1
EPSS
0.0%
CVE-2025-9287 CRITICAL POC PATCH Act Now

Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.0.4. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Cipher Base Red Hat Suse
NVD GitHub
CVSS 4.0
9.1
EPSS
0.1%
CVE-2024-57155 CRITICAL This Week

Incorrect access control in radar v1.0.8 allows attackers to bypass authentication and access sensitive APIs without a token. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-57154 CRITICAL This Week

Incorrect access control in dts-shop v0.0.1-SNAPSHOT allows attackers to bypass authentication via sending a crafted payload to /admin/auth/index. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-55746 CRITICAL POC PATCH Act Now

Directus is a real-time API and App dashboard for managing SQL database content. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Directus
NVD GitHub
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-8611 CRITICAL This Week

AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass RCE Cyber Backup
NVD
CVSS 3.0
9.8
EPSS
2.2%
CVE-2025-8610 CRITICAL This Week

AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass RCE Cyber Backup
NVD
CVSS 3.0
9.8
EPSS
2.2%
CVE-2025-55444 CRITICAL POC Act Now

A SQL injection vulnerability exists in the id2 parameter of the cancel_booking.php page in Online Artwork and Fine Arts MCA Project 1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE SQLi Online Artwork And Fine Arts Project
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-50904 CRITICAL POC Act Now

There is an authentication bypass vulnerability in WinterChenS my-site thru commit 6c79286 (2025-06-11). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass My Site
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-50901 CRITICAL POC Act Now

JeeWMS 771e4f5d0c01ffdeae1671be4cf102b73a3fe644 (2025-05-19) contains incorrect authentication bypass vulnerability, which can lead to arbitrary file reading. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Jeewms
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-50640 CRITICAL This Week

jeewx-boot 1.3 has an authentication bypass vulnerability in the preHandle function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-57157 CRITICAL This Week

Incorrect access control in Jantent v1.1 allows attackers to bypass authentication and access sensitive APIs without a token. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-9074 CRITICAL POC Act Now

A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Docker Microsoft Information Disclosure Windows
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.9%
CVE-2025-27129 CRITICAL This Week

An authentication bypass vulnerability exists in the HTTP authentication functionality of Tenda AC6 V5.0 V02.03.01.110. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Tenda RCE Ac6 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-12223 CRITICAL This Week

Prism Central versions prior to 2024.3.1 are vulnerable to a stored cross-site scripting attack via the Events component, allowing an attacker to hijack a victim user’s session and perform actions in. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 4.0
9.3
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy